release-tools icon indicating copy to clipboard operation
release-tools copied to clipboard
verified publisher icon python

Upgrade to sigstore 4.0.0

Open hugovk opened this issue 3 months ago • 2 comments

Split out from https://github.com/python/release-tools/pull/283.

cc @sethmlarson, @woodruffw

The flow here is:

  • run_release.py is run on the release manager's machine. That pops open the sigstore auth page, and fetches an identity token.
  • The token is then put into a SIGSTORE_IDENTITY_TOKEN env var, for when the sigstore CLI is run by add_to_pydotorg.py on the downloads server, where the file signing happens.

I can also give this a demo run with 3.15.0a1 next week.

hugovk avatar Oct 09 '25 19:10 hugovk

I've asked the Sigstore Python maintainers what the effects of upgrading are for 4.0.0, it was not immediately clear to me what the backwards incompatible changes would mean for our users.

sethmlarson avatar Oct 10 '25 14:10 sethmlarson

sigstore 4.1.0 has been released.

ezio-melotti avatar Nov 01 '25 06:11 ezio-melotti