Skip to content

Commit

Permalink
Upgrade to Sigstore CLI v3
Browse files Browse the repository at this point in the history
  • Loading branch information
@sethmlarson
sethmlarson committed Aug 8, 2024
1 parent ad2d64f commit d8e2c52
Show file tree
Hide file tree
Showing 4 changed files with 195 additions and 81 deletions.
38 changes: 30 additions & 8 deletions add_to_pydotorg.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,14 +340,36 @@ def has_sigstore_signature(filename: str) -> bool:

if unsigned_files:
print("Signing release files with Sigstore")
run_cmd(
["python3", "-m", "sigstore", "sign", "--oidc-disable-ambient-providers"]
+ unsigned_files
)
for file in unsigned_files:
run_cmd(["chmod", "644", file + ".sig"])
run_cmd(["chmod", "644", file + ".crt"])
run_cmd(["chmod", "644", file + ".sigstore"])
for filename in unsigned_files:
cert_file = filename + ".crt"
sig_file = filename + ".sig"
bundle_file = filename + ".sigstore"

Check warning on line 346 in add_to_pydotorg.py

View check run for this annotation

Codecov / codecov/patch

add_to_pydotorg.py#L343-L346 

Added lines #L343 - L346 were not covered by tests

run_cmd(

Check warning on line 348 in add_to_pydotorg.py

View check run for this annotation

Codecov / codecov/patch

add_to_pydotorg.py#L348 

Added line #L348 was not covered by tests
[
"python3",
"-m",
"sigstore",
"sign",
"--oidc-disable-ambient-providers",
"--signature",
sig_file,
"--certificate",
cert_file,
"--bundle",
bundle_file,
filename,
]
)

# New sigstore CLI makes Sigstore bundles end in '.json'
# but our users expect bundles to be '.sigstore'
if os.path.exists(bundle_file + ".json"):
os.rename(bundle_file + ".json", bundle_file)

Check warning on line 368 in add_to_pydotorg.py

View check run for this annotation

Codecov / codecov/patch

add_to_pydotorg.py#L367-L368 

Added lines #L367 - L368 were not covered by tests

run_cmd(["chmod", "644", sig_file])
run_cmd(["chmod", "644", cert_file])
run_cmd(["chmod", "644", bundle_file])

Check warning on line 372 in add_to_pydotorg.py

View check run for this annotation

Codecov / codecov/patch

add_to_pydotorg.py#L370-L372 

Added lines #L370 - L372 were not covered by tests
else:
print("All release files already signed with Sigstore")

Expand Down
2 changes: 1 addition & 1 deletion requirements.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@ alive_progress
python-gnupg
aiohttp
blurb>=1.2.1
sigstore>1.1
sigstore>=3
204 changes: 143 additions & 61 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,10 +98,9 @@ alive-progress==3.1.4 \
--hash=sha256:74a95d8d0d42bc99d3a3725dbd06ebb852245f1b64e301a7c375b92b22663f7b \
--hash=sha256:c80ad87ce9c1054b01135a87fae69ecebbfc2107497ae87cbe6aec7e534903db
# via -r requirements.in
appdirs==1.4.4 \
--hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \
--hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128
# via sigstore
annotated-types==0.7.0 \
--hash=sha256:1f02e8b43a8fbbc3f3e0d4f0f4bfc8131bcb4eebe8849b8e5c773f3a1c582a53
# via pydantic
async-timeout==4.0.3 \
--hash=sha256:7405140ff1230c310e51dc27b3145b9092d659ce68ff733fb0cefe3ee42be028
# via aiohttp
Expand Down Expand Up @@ -132,9 +131,8 @@ bcrypt==4.0.1 \
--hash=sha256:e9a51bbfe7e9802b5f3508687758b564069ba937748ad7b9e890086290d2f79e \
--hash=sha256:fbdaec13c5105f0c4e5c52614d04f0bca5f5af007910daa8b6b12095edaa67b3
# via paramiko
betterproto==2.0.0b5 \
--hash=sha256:00a301c70a2db4d3cdd2b261522ae1d34972fb04b655a154d67daaaf4131102e \
--hash=sha256:d3e6115c7d5136f1d5974e565b7560273f66b43065e74218e472321ee1258f4c
betterproto==2.0.0b6 \
--hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf
# via sigstore-protobuf-specs
blurb==1.2.1 \
--hash=sha256:71e3adfc9425bc0f3a2d88dde05a9975391044bde000a67395758001ff3a19b5
Expand Down Expand Up @@ -312,6 +310,12 @@ cryptography==42.0.5 \
# paramiko
# pyopenssl
# sigstore
dnspython==2.6.1 \
--hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50
# via email-validator
email-validator==2.2.0 \
--hash=sha256:561977c2d73ce3611850a06fa56b414621e0c8faa9d66f2611407d87465da631
# via pydantic
frozenlist==1.4.1 \
--hash=sha256:04ced3e6a46b4cfffe20f9ae482818e34eba9b5fb0ce4056e4cc9b6e212d09b7 \
--hash=sha256:0633c8d5337cb5c77acbccc6357ac49a1770b8c487e5b3505c57b949b4b82e98 \
Expand Down Expand Up @@ -410,19 +414,25 @@ hyperframe==6.0.1 \
--hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \
--hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914
# via h2
id==1.0.0 \
--hash=sha256:8822ba0454bb8660c4fff439eadbf06236cc354dcabd7ae00d907143d92215f5 \
--hash=sha256:d4b3e75ce0d5f38c9e467826436babe8b9bc5f78e22bae716a22a6a0add570ea
id==1.4.0 \
--hash=sha256:a0391117c98fa9851ebd2b22df0dc6fd6aacbd89a4ec95c173f1311ca9bb7329
# via sigstore
idna==3.7 \
--hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
--hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
# via
# email-validator
# requests
# yarl
importlib-resources==5.13.0 \
--hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2
# via sigstore
markdown-it-py==3.0.0 \
--hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1
# via rich
mdurl==0.1.2 \
--hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8
# via markdown-it-py
multidict==6.0.5 \
--hash=sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556 \
--hash=sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c \
Expand Down Expand Up @@ -521,49 +531,115 @@ paramiko==3.4.0 \
--hash=sha256:43f0b51115a896f9c00f59618023484cb3a14b98bbceab43394a39c6739b7ee7 \
--hash=sha256:aac08f26a31dc4dffd92821527d1682d99d52f9ef6851968114a8728f3c274d3
# via -r requirements.in
platformdirs==4.2.2 \
--hash=sha256:2d7a1657e36a80ea911db832a8a6ece5ee53d8de21edd5cc5879af6530b1bfee
# via sigstore
pyasn1==0.6.0 \
--hash=sha256:cca4bb0f2df5504f02f6f8a775b6e416ff9b0b3b16f7ee80b5a3153d9b804473
# via sigstore
pycparser==2.21 \
--hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \
--hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206
# via cffi
pydantic==1.10.15 \
--hash=sha256:005655cabc29081de8243126e036f2065bd7ea5b9dff95fde6d2c642d39755de \
--hash=sha256:0d142fa1b8f2f0ae11ddd5e3e317dcac060b951d605fda26ca9b234b92214986 \
--hash=sha256:22ed12ee588b1df028a2aa5d66f07bf8f8b4c8579c2e96d5a9c1f96b77f3bb55 \
--hash=sha256:2746189100c646682eff0bce95efa7d2e203420d8e1c613dc0c6b4c1d9c1fde4 \
--hash=sha256:28e552a060ba2740d0d2aabe35162652c1459a0b9069fe0db7f4ee0e18e74d58 \
--hash=sha256:3287e1614393119c67bd4404f46e33ae3be3ed4cd10360b48d0a4459f420c6a3 \
--hash=sha256:3350f527bb04138f8aff932dc828f154847fbdc7a1a44c240fbfff1b57f49a12 \
--hash=sha256:3453685ccd7140715e05f2193d64030101eaad26076fad4e246c1cc97e1bb30d \
--hash=sha256:394f08750bd8eaad714718812e7fab615f873b3cdd0b9d84e76e51ef3b50b6b7 \
--hash=sha256:4e316e54b5775d1eb59187f9290aeb38acf620e10f7fd2f776d97bb788199e53 \
--hash=sha256:50f1666a9940d3d68683c9d96e39640f709d7a72ff8702987dab1761036206bb \
--hash=sha256:51d405b42f1b86703555797270e4970a9f9bd7953f3990142e69d1037f9d9e51 \
--hash=sha256:584f2d4c98ffec420e02305cf675857bae03c9d617fcfdc34946b1160213a948 \
--hash=sha256:5e09c19df304b8123938dc3c53d3d3be6ec74b9d7d0d80f4f4b5432ae16c2022 \
--hash=sha256:676ed48f2c5bbad835f1a8ed8a6d44c1cd5a21121116d2ac40bd1cd3619746ed \
--hash=sha256:67f1a1fb467d3f49e1708a3f632b11c69fccb4e748a325d5a491ddc7b5d22383 \
--hash=sha256:6a51a1dd4aa7b3f1317f65493a182d3cff708385327c1c82c81e4a9d6d65b2e4 \
--hash=sha256:6bd7030c9abc80134087d8b6e7aa957e43d35714daa116aced57269a445b8f7b \
--hash=sha256:75279d3cac98186b6ebc2597b06bcbc7244744f6b0b44a23e4ef01e5683cc0d2 \
--hash=sha256:7ac9237cd62947db00a0d16acf2f3e00d1ae9d3bd602b9c415f93e7a9fc10528 \
--hash=sha256:7ea210336b891f5ea334f8fc9f8f862b87acd5d4a0cbc9e3e208e7aa1775dabf \
--hash=sha256:82790d4753ee5d00739d6cb5cf56bceb186d9d6ce134aca3ba7befb1eedbc2c8 \
--hash=sha256:92229f73400b80c13afcd050687f4d7e88de9234d74b27e6728aa689abcf58cc \
--hash=sha256:9bea1f03b8d4e8e86702c918ccfd5d947ac268f0f0cc6ed71782e4b09353b26f \
--hash=sha256:a980a77c52723b0dc56640ced396b73a024d4b74f02bcb2d21dbbac1debbe9d0 \
--hash=sha256:af9850d98fc21e5bc24ea9e35dd80a29faf6462c608728a110c0a30b595e58b7 \
--hash=sha256:bbc6989fad0c030bd70a0b6f626f98a862224bc2b1e36bfc531ea2facc0a340c \
--hash=sha256:be51dd2c8596b25fe43c0a4a59c2bee4f18d88efb8031188f9e7ddc6b469cf44 \
--hash=sha256:c365ad9c394f9eeffcb30a82f4246c0006417f03a7c0f8315d6211f25f7cb654 \
--hash=sha256:c3d5731a120752248844676bf92f25a12f6e45425e63ce22e0849297a093b5b0 \
--hash=sha256:d207d5b87f6cbefbdb1198154292faee8017d7495a54ae58db06762004500d00 \
--hash=sha256:d31ee5b14a82c9afe2bd26aaa405293d4237d0591527d9129ce36e58f19f95c1 \
--hash=sha256:d3b5c4cbd0c9cb61bbbb19ce335e1f8ab87a811f6d589ed52b0254cf585d709c \
--hash=sha256:d573082c6ef99336f2cb5b667b781d2f776d4af311574fb53d908517ba523c22 \
--hash=sha256:e49db944fad339b2ccb80128ffd3f8af076f9f287197a480bf1e4ca053a866f0
pydantic[email]==2.8.2 \
--hash=sha256:73ee9fddd406dc318b885c7a2eab8a6472b68b8fb5ba8150949fc3db939f23c8
# via
# id
# sigstore
# sigstore-rekor-types
pydantic-core==2.20.1 \
--hash=sha256:035ede2e16da7281041f0e626459bcae33ed998cca6a0a007a5ebb73414ac72d \
--hash=sha256:04024d270cf63f586ad41fff13fde4311c4fc13ea74676962c876d9577bcc78f \
--hash=sha256:0827505a5c87e8aa285dc31e9ec7f4a17c81a813d45f70b1d9164e03a813a686 \
--hash=sha256:084659fac3c83fd674596612aeff6041a18402f1e1bc19ca39e417d554468482 \
--hash=sha256:10d4204d8ca33146e761c79f83cc861df20e7ae9f6487ca290a97702daf56006 \
--hash=sha256:11b71d67b4725e7e2a9f6e9c0ac1239bbc0c48cce3dc59f98635efc57d6dac83 \
--hash=sha256:150906b40ff188a3260cbee25380e7494ee85048584998c1e66df0c7a11c17a6 \
--hash=sha256:175873691124f3d0da55aeea1d90660a6ea7a3cfea137c38afa0a5ffabe37b88 \
--hash=sha256:177f55a886d74f1808763976ac4efd29b7ed15c69f4d838bbd74d9d09cf6fa86 \
--hash=sha256:19c0fa39fa154e7e0b7f82f88ef85faa2a4c23cc65aae2f5aea625e3c13c735a \
--hash=sha256:1eedfeb6089ed3fad42e81a67755846ad4dcc14d73698c120a82e4ccf0f1f9f6 \
--hash=sha256:225b67a1f6d602de0ce7f6c1c3ae89a4aa25d3de9be857999e9124f15dab486a \
--hash=sha256:242b8feb3c493ab78be289c034a1f659e8826e2233786e36f2893a950a719bb6 \
--hash=sha256:254ec27fdb5b1ee60684f91683be95e5133c994cc54e86a0b0963afa25c8f8a6 \
--hash=sha256:25e9185e2d06c16ee438ed39bf62935ec436474a6ac4f9358524220f1b236e43 \
--hash=sha256:26ab812fa0c845df815e506be30337e2df27e88399b985d0bb4e3ecfe72df31c \
--hash=sha256:26dc97754b57d2fd00ac2b24dfa341abffc380b823211994c4efac7f13b9e90e \
--hash=sha256:270755f15174fb983890c49881e93f8f1b80f0b5e3a3cc1394a255706cabd203 \
--hash=sha256:2aafc5a503855ea5885559eae883978c9b6d8c8993d67766ee73d82e841300dd \
--hash=sha256:2d036c7187b9422ae5b262badb87a20a49eb6c5238b2004e96d4da1231badef1 \
--hash=sha256:33499e85e739a4b60c9dac710c20a08dc73cb3240c9a0e22325e671b27b70d24 \
--hash=sha256:37eee5b638f0e0dcd18d21f59b679686bbd18917b87db0193ae36f9c23c355fc \
--hash=sha256:38cf1c40a921d05c5edc61a785c0ddb4bed67827069f535d794ce6bcded919fc \
--hash=sha256:3acae97ffd19bf091c72df4d726d552c473f3576409b2a7ca36b2f535ffff4a3 \
--hash=sha256:3c5ebac750d9d5f2706654c638c041635c385596caf68f81342011ddfa1e5598 \
--hash=sha256:3d482efec8b7dc6bfaedc0f166b2ce349df0011f5d2f1f25537ced4cfc34fd98 \
--hash=sha256:407653af5617f0757261ae249d3fba09504d7a71ab36ac057c938572d1bc9331 \
--hash=sha256:40a783fb7ee353c50bd3853e626f15677ea527ae556429453685ae32280c19c2 \
--hash=sha256:41e81317dd6a0127cabce83c0c9c3fbecceae981c8391e6f1dec88a77c8a569a \
--hash=sha256:41f4c96227a67a013e7de5ff8f20fb496ce573893b7f4f2707d065907bffdbd6 \
--hash=sha256:469f29f9093c9d834432034d33f5fe45699e664f12a13bf38c04967ce233d688 \
--hash=sha256:4745f4ac52cc6686390c40eaa01d48b18997cb130833154801a442323cc78f91 \
--hash=sha256:4868f6bd7c9d98904b748a2653031fc9c2f85b6237009d475b1008bfaeb0a5aa \
--hash=sha256:4aa223cd1e36b642092c326d694d8bf59b71ddddc94cdb752bbbb1c5c91d833b \
--hash=sha256:4dd484681c15e6b9a977c785a345d3e378d72678fd5f1f3c0509608da24f2ac0 \
--hash=sha256:4f2790949cf385d985a31984907fecb3896999329103df4e4983a4a41e13e840 \
--hash=sha256:512ecfbefef6dac7bc5eaaf46177b2de58cdf7acac8793fe033b24ece0b9566c \
--hash=sha256:516d9227919612425c8ef1c9b869bbbee249bc91912c8aaffb66116c0b447ebd \
--hash=sha256:53e431da3fc53360db73eedf6f7124d1076e1b4ee4276b36fb25514544ceb4a3 \
--hash=sha256:595ba5be69b35777474fa07f80fc260ea71255656191adb22a8c53aba4479231 \
--hash=sha256:5b5ff4911aea936a47d9376fd3ab17e970cc543d1b68921886e7f64bd28308d1 \
--hash=sha256:5d41e6daee2813ecceea8eda38062d69e280b39df793f5a942fa515b8ed67953 \
--hash=sha256:5e999ba8dd90e93d57410c5e67ebb67ffcaadcea0ad973240fdfd3a135506250 \
--hash=sha256:5f239eb799a2081495ea659d8d4a43a8f42cd1fe9ff2e7e436295c38a10c286a \
--hash=sha256:635fee4e041ab9c479e31edda27fcf966ea9614fff1317e280d99eb3e5ab6fe2 \
--hash=sha256:65db0f2eefcaad1a3950f498aabb4875c8890438bc80b19362cf633b87a8ab20 \
--hash=sha256:6b507132dcfc0dea440cce23ee2182c0ce7aba7054576efc65634f080dbe9434 \
--hash=sha256:6b9d9bb600328a1ce523ab4f454859e9d439150abb0906c5a1983c146580ebab \
--hash=sha256:70c8daf4faca8da5a6d655f9af86faf6ec2e1768f4b8b9d0226c02f3d6209703 \
--hash=sha256:77bf3ac639c1ff567ae3b47f8d4cc3dc20f9966a2a6dd2311dcc055d3d04fb8a \
--hash=sha256:784c1214cb6dd1e3b15dd8b91b9a53852aed16671cc3fbe4786f4f1db07089e2 \
--hash=sha256:7eb6a0587eded33aeefea9f916899d42b1799b7b14b8f8ff2753c0ac1741edac \
--hash=sha256:7ed1b0132f24beeec5a78b67d9388656d03e6a7c837394f99257e2d55b461611 \
--hash=sha256:8ad4aeb3e9a97286573c03df758fc7627aecdd02f1da04516a86dc159bf70121 \
--hash=sha256:964faa8a861d2664f0c7ab0c181af0bea66098b1919439815ca8803ef136fc4e \
--hash=sha256:9dc1b507c12eb0481d071f3c1808f0529ad41dc415d0ca11f7ebfc666e66a18b \
--hash=sha256:9ebfef07dbe1d93efb94b4700f2d278494e9162565a54f124c404a5656d7ff09 \
--hash=sha256:a45f84b09ac9c3d35dfcf6a27fd0634d30d183205230a0ebe8373a0e8cfa0906 \
--hash=sha256:a4f55095ad087474999ee28d3398bae183a66be4823f753cd7d67dd0153427c9 \
--hash=sha256:a6d511cc297ff0883bc3708b465ff82d7560193169a8b93260f74ecb0a5e08a7 \
--hash=sha256:a8ad4c766d3f33ba8fd692f9aa297c9058970530a32c728a2c4bfd2616d3358b \
--hash=sha256:aa2f457b4af386254372dfa78a2eda2563680d982422641a85f271c859df1987 \
--hash=sha256:b03f7941783b4c4a26051846dea594628b38f6940a2fdc0df00b221aed39314c \
--hash=sha256:b0dae11d8f5ded51699c74d9548dcc5938e0804cc8298ec0aa0da95c21fff57b \
--hash=sha256:b91ced227c41aa29c672814f50dbb05ec93536abf8f43cd14ec9521ea09afe4e \
--hash=sha256:bc633a9fe1eb87e250b5c57d389cf28998e4292336926b0b6cdaee353f89a237 \
--hash=sha256:bebb4d6715c814597f85297c332297c6ce81e29436125ca59d1159b07f423eb1 \
--hash=sha256:c336a6d235522a62fef872c6295a42ecb0c4e1d0f1a3e500fe949415761b8a19 \
--hash=sha256:c6514f963b023aeee506678a1cf821fe31159b925c4b76fe2afa94cc70b3222b \
--hash=sha256:c693e916709c2465b02ca0ad7b387c4f8423d1db7b4649c551f27a529181c5ad \
--hash=sha256:c81131869240e3e568916ef4c307f8b99583efaa60a8112ef27a366eefba8ef0 \
--hash=sha256:d02a72df14dfdbaf228424573a07af10637bd490f0901cee872c4f434a735b94 \
--hash=sha256:d2a8fa9d6d6f891f3deec72f5cc668e6f66b188ab14bb1ab52422fe8e644f312 \
--hash=sha256:d2b27e6af28f07e2f195552b37d7d66b150adbaa39a6d327766ffd695799780f \
--hash=sha256:d2fe69c5434391727efa54b47a1e7986bb0186e72a41b203df8f5b0a19a4f669 \
--hash=sha256:d3f3ed29cd9f978c604708511a1f9c2fdcb6c38b9aae36a51905b8811ee5cbf1 \
--hash=sha256:d573faf8eb7e6b1cbbcb4f5b247c60ca8be39fe2c674495df0eb4318303137fe \
--hash=sha256:e0bbdd76ce9aa5d4209d65f2b27fc6e5ef1312ae6c5333c26db3f5ade53a1e99 \
--hash=sha256:e7c4ea22b6739b162c9ecaaa41d718dfad48a244909fe7ef4b54c0b530effc5a \
--hash=sha256:e93e1a4b4b33daed65d781a57a522ff153dcf748dee70b40c7258c5861e1768a \
--hash=sha256:e97fdf088d4b31ff4ba35db26d9cc472ac7ef4a2ff2badeabf8d727b3377fc52 \
--hash=sha256:e9fa4c9bf273ca41f940bceb86922a7667cd5bf90e95dbb157cbb8441008482c \
--hash=sha256:eaad4ff2de1c3823fddf82f41121bdf453d922e9a238642b1dedb33c4e4f98ad \
--hash=sha256:f1f62b2413c3a0e846c3b838b2ecd6c7a19ec6793b2a522745b0869e37ab5bc1 \
--hash=sha256:f6d6cff3538391e8486a431569b77921adfcdef14eb18fbf19b7c0a5294d4e6a \
--hash=sha256:f9aa05d09ecf4c75157197f27cdc9cfaeb7c5f15021c6373932bf3e124af029f \
--hash=sha256:fa2fddcb7107e0d1808086ca306dcade7df60a13a6c347a7acf1ec139aa6789a \
--hash=sha256:faa6b09ee09433b87992fb5a2859efd1c264ddc37280d2dd5db502126d0e7f27
# via pydantic
pygments==2.18.0 \
--hash=sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a
# via rich
pyjwt==2.8.0 \
--hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \
--hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320
Expand Down Expand Up @@ -598,31 +674,37 @@ requests==2.32.0 \
# id
# sigstore
# tuf
securesystemslib==0.28.0 \
--hash=sha256:9e6b9abe36a511d4f52c759069db8f6f650362ba82d6efc7bc7466a458b3f499 \
--hash=sha256:a27e519247576f2a77b97fb03267d8eeb88eba715d12da64109e845616f919c6
# via
# sigstore
# tuf
sigstore==1.1.2 \
--hash=sha256:1252c34b6bf0f5c0680dffe36e1961bd23da9dd77838fc8ece35bcf87a3bf6df \
--hash=sha256:1f5d74006073a4bc1572290fb133418c25ff76c5a02fcb567c3feb238d425ab3
rfc8785==0.1.3 \
--hash=sha256:6116062831c62e7ac5d027973a1fe07b601ccd854bca4a2b401938a00a20b0c0
# via sigstore
rich==13.7.1 \
--hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222
# via sigstore
securesystemslib==1.1.0 \
--hash=sha256:100bf04e60b260e1c7c51e3232647697fde2c5ca5772fda4932d841d3fb6dd0e
# via tuf
sigstore==3.1.0 \
--hash=sha256:3cfe2da19a053757a06bd9ecae322fa539fece7df3e8139d30e32172e41cb812
# via -r requirements.in
sigstore-protobuf-specs==0.1.0 \
--hash=sha256:0e7766add04b5bd145181936e6fedbb2609d7e959f2740051cbca12572b277a2 \
--hash=sha256:622b2d231613a28ed3e6660acd87818675b4e83486f49a0f0c198ac5475fcb81
sigstore-protobuf-specs==0.3.2 \
--hash=sha256:50c99fa6747a3a9c5c562a43602cf76df0b199af28f0e9d4319b6775630425ea
# via sigstore
sigstore-rekor-types==0.0.13 \
--hash=sha256:377fee942d5fc66437a4f54599472157149affaece9bbc7deb05e5b42f34ceba
# via sigstore
six==1.16.0 \
--hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
--hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
# via python-dateutil
tuf==2.1.0 \
--hash=sha256:ab22d1143d4d8aa20c94d243de27eedc8cd517e251ddaf4a88c10952358a13ea
tuf==5.0.0 \
--hash=sha256:91a4ca279c33222ac1451a5b0bcdcbbf12c965e0d22278bead5bf8d3ab95117a
# via sigstore
typing-extensions==4.7.1 \
--hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \
--hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2
# via pydantic
# via
# pydantic
# pydantic-core
urllib3==2.0.7 \
--hash=sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84 \
--hash=sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e
Expand Down
32 changes: 21 additions & 11 deletions run_release.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -565,17 +565,27 @@ def sign_source_artifacts(db: ReleaseShelf) -> None:
subprocess.check_call(["gpg", "-bas", "-u", uid, xz])

print("Signing tarballs with Sigstore")
subprocess.check_call(
[
"python3",
"-m",
"sigstore",
"sign",
"--oidc-disable-ambient-providers",
tgz,
xz,
]
)
for filename in (tgz, xz):
cert_file = filename + ".crt"
sig_file = filename + ".sig"
bundle_file = filename + ".sigstore"

Check warning on line 571 in run_release.py

View check run for this annotation

Codecov / codecov/patch

run_release.py#L568-L571 

Added lines #L568 - L571 were not covered by tests

subprocess.check_call(

Check warning on line 573 in run_release.py

View check run for this annotation

Codecov / codecov/patch

run_release.py#L573 

Added line #L573 was not covered by tests
[
"python3",
"-m",
"sigstore",
"sign",
"--oidc-disable-ambient-providers",
"--signature",
sig_file,
"--certificate",
cert_file,
"--bundle",
bundle_file,
filename,
]
)


def build_sbom_artifacts(db: ReleaseShelf) -> None:
Expand Down

0 comments on commit d8e2c52

Please sign in to comment.