Skip to content

Upgrade to sigstore 4.0.0#289

Merged
hugovk merged 3 commits into
python:mainfrom
hugovk:upgrade-sigstore
Jul 7, 2026
Merged

Upgrade to sigstore 4.0.0#289
hugovk merged 3 commits into
python:mainfrom
hugovk:upgrade-sigstore

Conversation

@hugovk

@hugovk hugovk commented Oct 9, 2025

Copy link
Copy Markdown
Member

Split out from #283.

cc @sethmlarson, @woodruffw

The flow here is:

  • run_release.py is run on the release manager's machine. That pops open the sigstore auth page, and fetches an identity token.
  • The token is then put into a SIGSTORE_IDENTITY_TOKEN env var, for when the sigstore CLI is run by add_to_pydotorg.py on the downloads server, where the file signing happens.

I can also give this a demo run with 3.15.0a1 next week.

@sethmlarson

Copy link
Copy Markdown
Collaborator

I've asked the Sigstore Python maintainers what the effects of upgrading are for 4.0.0, it was not immediately clear to me what the backwards incompatible changes would mean for our users.

@hugovk hugovk marked this pull request as draft October 28, 2025 08:31
@ezio-melotti

ezio-melotti commented Nov 1, 2025

Copy link
Copy Markdown
Member

sigstore 4.2.0 has now been released.
There are also some security issues with sigstore 3.

hugovk added 3 commits July 7, 2026 16:56
…tensions

pip-compile --generate-hashes --output-file=requirements.txt requirements.in --upgrade-package sigstore --upgrade-package pydantic --upgrade-package typing-extensions
@hugovk hugovk force-pushed the upgrade-sigstore branch from 7228e3a to a3eecd6 Compare July 7, 2026 15:21
@hugovk

hugovk commented Jul 7, 2026

Copy link
Copy Markdown
Member Author

Rebased and resolved conflicts. sigstore is up to 4.4.0, but I've left this on 4.0.0 for now. Can update here or in a follow up.

@woodruffw

Copy link
Copy Markdown

I've asked the Sigstore Python maintainers what the effects of upgrading are for 4.0.0, it was not immediately clear to me what the backwards incompatible changes would mean for our users.

Sorry, not sure if I ever responded to this anywhere 😅

The short version is that there should be no compatibility concerns for users -- the major version here reflects a change to sigstore-python's public APIs, not to the format of the Sigstore bundles themselves.

@sethmlarson

Copy link
Copy Markdown
Collaborator

@woodruffw Amazing, thank you for confirming! Let's move forward with upgrading the Sigstore CLI then.

@sethmlarson sethmlarson left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hugovk hugovk marked this pull request as ready for review July 7, 2026 20:27
@hugovk

hugovk commented Jul 7, 2026

Copy link
Copy Markdown
Member Author

Thanks! Will merge this as-is, and we can get hopefully back on the Dependabot train for newer 4.x.

@hugovk hugovk merged commit a232c1b into python:main Jul 7, 2026
18 checks passed
@hugovk hugovk deleted the upgrade-sigstore branch July 7, 2026 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants