From a068d8102dd7988a8634a208c3314aafd21623ff Mon Sep 17 00:00:00 2001 From: Sten Spans Date: Thu, 17 Oct 2024 08:44:06 +0200 Subject: [PATCH 1/2] switch to sigstore for all checksums --- versions.sh | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/versions.sh b/versions.sh index 53c0498c4..ece0db784 100755 --- a/versions.sh +++ b/versions.sh @@ -40,36 +40,6 @@ check_file() { return 0 fi - # TODO is this even necessary/useful? the sigstore-based version above is *much* faster, supports all current versions (not just 3.12+ like this), *and* should be more reliable 🤔 - local sbom - if sbom="$( - wget -qO- -o/dev/null "$url.spdx.json" \ - | jq --arg filename "$filename" ' - first( - .packages[] - | select( - .name == "CPython" - and .packageFileName == $filename - ) - ) - | .checksums - | map({ - key: (.algorithm // empty | ascii_downcase), - value: (.checksumValue // empty), - }) - | if length < 1 then - error("no checksums found for \($filename)") - else . end - | from_entries - | if has("sha256") then . else - error("missing sha256 for \($filename); have \(.)") - end - ' - )" && [ -n "sbom" ]; then - checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --argjson sums "$sbom" '.[$type] += $sums')" - return 0 - fi - if ! wget -q -O /dev/null -o /dev/null --spider "$url"; then return 1 fi From e010a4632a8dbcc08d29409a7c82621cfdc77e87 Mon Sep 17 00:00:00 2001 From: Sten Spans Date: Thu, 17 Oct 2024 10:16:37 +0200 Subject: [PATCH 2/2] enable sigstore verification for alpine --- 3.10/alpine3.19/Dockerfile | 15 +++++----- 3.10/alpine3.20/Dockerfile | 15 +++++----- 3.11/alpine3.19/Dockerfile | 15 +++++----- 3.11/alpine3.20/Dockerfile | 15 +++++----- 3.12/alpine3.19/Dockerfile | 15 +++++----- 3.12/alpine3.20/Dockerfile | 15 +++++----- 3.13/alpine3.19/Dockerfile | 15 +++++----- 3.13/alpine3.20/Dockerfile | 15 +++++----- 3.14-rc/alpine3.19/Dockerfile | 8 +++++- 3.14-rc/alpine3.20/Dockerfile | 8 +++++- 3.9/alpine3.19/Dockerfile | 15 +++++----- 3.9/alpine3.20/Dockerfile | 15 +++++----- Dockerfile-linux.template | 52 +++++++++++++++++++++++++++++++++-- 13 files changed, 133 insertions(+), 85 deletions(-) diff --git a/3.10/alpine3.19/Dockerfile b/3.10/alpine3.19/Dockerfile index df5dd811b..22db41107 100644 --- a/3.10/alpine3.19/Dockerfile +++ b/3.10/alpine3.19/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY pablogsal@python.org ENV PYTHON_VERSION 3.10.15 ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -119,6 +117,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.10/alpine3.20/Dockerfile b/3.10/alpine3.20/Dockerfile index 330b28c17..8a4c2105c 100644 --- a/3.10/alpine3.20/Dockerfile +++ b/3.10/alpine3.20/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY pablogsal@python.org ENV PYTHON_VERSION 3.10.15 ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -119,6 +117,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.11/alpine3.19/Dockerfile b/3.11/alpine3.19/Dockerfile index 0de2b82ed..3a6a7d6e0 100644 --- a/3.11/alpine3.19/Dockerfile +++ b/3.11/alpine3.19/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY pablogsal@python.org ENV PYTHON_VERSION 3.11.10 ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -119,6 +117,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.11/alpine3.20/Dockerfile b/3.11/alpine3.20/Dockerfile index 914e34edc..b444f6a15 100644 --- a/3.11/alpine3.20/Dockerfile +++ b/3.11/alpine3.20/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY pablogsal@python.org ENV PYTHON_VERSION 3.11.10 ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -119,6 +117,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.12/alpine3.19/Dockerfile b/3.12/alpine3.19/Dockerfile index 7cfbf1d31..79dc68e81 100644 --- a/3.12/alpine3.19/Dockerfile +++ b/3.12/alpine3.19/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY thomas@python.org ENV PYTHON_VERSION 3.12.7 ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -119,6 +117,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.12/alpine3.20/Dockerfile b/3.12/alpine3.20/Dockerfile index 9a984f575..b5fbc80f8 100644 --- a/3.12/alpine3.20/Dockerfile +++ b/3.12/alpine3.20/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY thomas@python.org ENV PYTHON_VERSION 3.12.7 ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -119,6 +117,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.13/alpine3.19/Dockerfile b/3.13/alpine3.19/Dockerfile index 814a33818..b9f0462ca 100644 --- a/3.13/alpine3.19/Dockerfile +++ b/3.13/alpine3.19/Dockerfile @@ -16,14 +16,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY thomas@python.org ENV PYTHON_VERSION 3.13.0 ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -55,12 +56,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -114,6 +112,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.13/alpine3.20/Dockerfile b/3.13/alpine3.20/Dockerfile index dd8642626..0a88acacb 100644 --- a/3.13/alpine3.20/Dockerfile +++ b/3.13/alpine3.20/Dockerfile @@ -16,14 +16,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 +ENV CERTIFICATE_ISSUER https://accounts.google.com +ENV CERTIFICATE_IDENTITY thomas@python.org ENV PYTHON_VERSION 3.13.0 ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -55,12 +56,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -114,6 +112,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.14-rc/alpine3.19/Dockerfile b/3.14-rc/alpine3.19/Dockerfile index bb8bea96e..5f7dc710e 100644 --- a/3.14-rc/alpine3.19/Dockerfile +++ b/3.14-rc/alpine3.19/Dockerfile @@ -16,13 +16,15 @@ RUN set -eux; \ tzdata \ ; +ENV CERTIFICATE_ISSUER https://github.com/login/oauth +ENV CERTIFICATE_IDENTITY hugo@python.org ENV PYTHON_VERSION 3.14.0a1 ENV PYTHON_SHA256 3e464b0cbb7535e2db34262fd19a0a393d0e62be0f43b1513ed98379b054ead4 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -54,6 +56,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -107,6 +112,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.14-rc/alpine3.20/Dockerfile b/3.14-rc/alpine3.20/Dockerfile index 4af7c70ca..2a351cb57 100644 --- a/3.14-rc/alpine3.20/Dockerfile +++ b/3.14-rc/alpine3.20/Dockerfile @@ -16,13 +16,15 @@ RUN set -eux; \ tzdata \ ; +ENV CERTIFICATE_ISSUER https://github.com/login/oauth +ENV CERTIFICATE_IDENTITY hugo@python.org ENV PYTHON_VERSION 3.14.0a1 ENV PYTHON_SHA256 3e464b0cbb7535e2db34262fd19a0a393d0e62be0f43b1513ed98379b054ead4 RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -54,6 +56,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -107,6 +112,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.9/alpine3.19/Dockerfile b/3.9/alpine3.19/Dockerfile index 1163933f8..d3c008f26 100644 --- a/3.9/alpine3.19/Dockerfile +++ b/3.9/alpine3.19/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 +ENV CERTIFICATE_ISSUER https://github.com/login/oauth +ENV CERTIFICATE_IDENTITY lukasz@langa.pl ENV PYTHON_VERSION 3.9.20 ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -118,6 +116,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/3.9/alpine3.20/Dockerfile b/3.9/alpine3.20/Dockerfile index 00a3b9a64..c651f09dd 100644 --- a/3.9/alpine3.20/Dockerfile +++ b/3.9/alpine3.20/Dockerfile @@ -21,14 +21,15 @@ RUN set -eux; \ tzdata \ ; -ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 +ENV CERTIFICATE_ISSUER https://github.com/login/oauth +ENV CERTIFICATE_IDENTITY lukasz@langa.pl ENV PYTHON_VERSION 3.9.20 ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -60,12 +61,9 @@ RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ rm python.tar.xz; \ @@ -118,6 +116,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ \ export PYTHONDONTWRITEBYTECODE=1; \ diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template index a0b86ca95..ddde0d8cf 100644 --- a/Dockerfile-linux.template +++ b/Dockerfile-linux.template @@ -52,13 +52,54 @@ RUN set -eux; \ {{ ) end -}} {{ + def should_sigstore: + env.variant | startswith("alpine") + ; def should_pgp: # https://github.com/docker-library/python/issues/977 # https://peps.python.org/pep-0761/ # https://discuss.python.org/t/pep-761-deprecating-pgp-signatures-for-cpython-artifacts/67180 rcVersion | IN("3.9", "3.10", "3.11", "3.12", "3.13") -}} -{{ if should_pgp then ( -}} +{{ if should_sigstore then ( -}} +ENV CERTIFICATE_ISSUER {{ + { + "3.9": "https://github.com/login/oauth", + "3.10": "https://accounts.google.com", + "3.11": "https://accounts.google.com", + "3.12": "https://accounts.google.com", + "3.13": "https://accounts.google.com", + "3.14": "https://github.com/login/oauth" + }[rcVersion] +}} +ENV CERTIFICATE_IDENTITY {{ + { + # release manager: Łukasz Langa + "3.9": "lukasz@langa.pl", + # https://peps.python.org/pep-0596/#release-manager-and-crew + + # release manager: Pablo Galindo Salgado + "3.10": "pablogsal@python.org", + # https://peps.python.org/pep-0619/#release-manager-and-crew + + # release manager: Pablo Galindo Salgado + "3.11": "pablogsal@python.org", + # https://peps.python.org/pep-0664/#release-manager-and-crew + + # release manager: Thomas Wouters + "3.12": "thomas@python.org", + # https://peps.python.org/pep-0693/#release-manager-and-crew + + # release manager: Thomas Wouters + "3.13": "thomas@python.org", + # https://peps.python.org/pep-0719/#release-manager-and-crew + + # release manager: Hugo van Kemenade + "3.14": "hugo@python.org" + # https://peps.python.org/pep-0745/#release-manager-and-crew + }[rcVersion] +}} +{{ ) elif should_pgp then ( -}} ENV GPG_KEY {{ { # gpg: key B26995E310250568: public key "\xc5\x81ukasz Langa (GPG langa.pl) " imported @@ -91,8 +132,8 @@ ENV PYTHON_SHA256 {{ .checksums.source.sha256 }} RUN set -eux; \ \ {{ if is_alpine then ( -}} + apk add --no-cache --virtual .cosign cosign --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community; \ apk add --no-cache --virtual .build-deps \ - gnupg \ tar \ xz \ \ @@ -154,7 +195,11 @@ RUN set -eux; \ {{ if .checksums.source.sha256 then ( -}} echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ {{ ) else "" end -}} -{{ if should_pgp then ( -}} +{{ if should_sigstore then ( -}} + wget -O python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore"; \ + cosign verify-blob python.tar.xz --bundle python.tar.xz.sigstore --new-bundle-format \ + --certificate-identity ${CERTIFICATE_IDENTITY} --certificate-oidc-issuer ${CERTIFICATE_ISSUER}; \ +{{ ) elif should_pgp then ( -}} wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ @@ -244,6 +289,7 @@ RUN set -eux; \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | xargs -rt apk add --no-network --virtual .python-rundeps \ ; \ + apk del --no-network .cosign; \ apk del --no-network .build-deps; \ {{ ) else ( -}} ldconfig; \ pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy