Use sigstore for Python artifact verification#303
Merged
agners merged 4 commits intohome-assistant:masterfrom Jun 10, 2025
Merged
Use sigstore for Python artifact verification#303agners merged 4 commits intohome-assistant:masterfrom
agners merged 4 commits intohome-assistant:masterfrom
Conversation
cdce8p
commented
Jun 5, 2025
Comment on lines
+24
to
+25
| && apk add --no-cache --virtual .cosign cosign \ | ||
| --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \ |
Member
Author
There was a problem hiding this comment.
The Python sigstore bundle use the new bundle format, the verification of which requires cosign>=4.2.0. Unfortunately alpine 3.21 is the earliest release with in this case version 4.2.1. The additional repository is necessary until 3.19 and 3.20 are dropped.
There is a draft PR to add sigstore validation to the "official" Python docker images which uses a similar approach. docker-library/python#983
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
agners
approved these changes
Jun 10, 2025
|
|
||
| # ensure local python is preferred over distribution python | ||
| ENV PATH /usr/local/bin:$PATH | ||
| ENV PATH=/usr/local/bin:$PATH |
Member
There was a problem hiding this comment.
Hm, I think the space variant also did not expand $PATH... I wonder how certain things even worked with that in mind 🤔
Anyways, this is the right thing to do 👍
Member
Author
|
CI is all green now |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PEP 761 deprecated the PGP signatures for CPython artifacts. Python 3.14 will only support verification with sigstore.
As all releases since
3.11.0include sigstore bundles, we can already update all docker files to use that instead.https://www.python.org/downloads/metadata/sigstore/
--
Also fix a minor warning in the dockerfile regarding
ENVhttps://docs.docker.com/reference/dockerfile/#env