Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenPGP signature missing for tag 1.2.2.post1 #836

Open
dvzrv opened this issue Nov 9, 2024 · 3 comments
Open

OpenPGP signature missing for tag 1.2.2.post1 #836

dvzrv opened this issue Nov 9, 2024 · 3 comments

Comments

@dvzrv
Copy link

dvzrv commented Nov 9, 2024

Hi! 👋

We're currently preparing the upgrade to Python 3.13 on Arch Linux.
While looking into bootstrapping for this project, I noticed that we are still shipping 1.2.2 and that 1.2.2.post1 is not released using a signed tag.

We have locked the OpenPGP certificate with the fingerprint 2FDEC9863E5E14C7BC429F27B9D0E45146A241E8 on our side for the verification of this upstream, which appears to belong to @henryiii.

Is the missing tag signature an oversight? Please create upcoming releases using a signed tag again, as it helps us (and any downstream really) to validate the trust path between releases. 🙏

cc @polyzen @FFY00
@henryiii
Copy link
Contributor

henryiii commented Nov 9, 2024
edited
Loading

There are no changes at all except PyPI metadata in a post release, so you can keep using 1.2.2.

Going forward there's momentum behind SigStore, and we are providing attestations for all our artifacts with SigStore.

FMI, can I sign an already-released tag? Since the SHA isn't changing, I'd think so?

@dvzrv
Copy link
Author

dvzrv commented Nov 9, 2024

There are no changes at all except PyPI metadata in a post release, so you can keep using 1.2.2.

Alright, thanks for the clarification! Just wanted to make sure :)

Going forward there's momentum behind SigStore, and we are providing attestations for all our artifacts with SigStore.

We unfortunately do not have integration for SigStore and any possible integration is at this point undefined.
One of the largest differences for validation scenarios with it (IIUC) is the requirement for authentication against a third-party online service.
FYI: We are not relying on PyPI artifacts, so the established OpenPGP trust path via tags in this repository remains a valid use-case for the forseeable future (for us).

FMI, can I sign an already-released tag? Since the SHA isn't changing, I'd think so?

I think you would have to delete the tag (not recommended) and then create a signed tag.
At this point in time - considering your earlier statement - I'd guess it's not worth the hassle.
However, what you can always do is to just tag e.g. a post2 on the same commit? 🤔

@henryiii
Copy link
Contributor

I think it should be signed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dvzrv @henryiii