Upgrade to sigstore 4.0.0#289
Conversation
|
I've asked the Sigstore Python maintainers what the effects of upgrading are for 4.0.0, it was not immediately clear to me what the backwards incompatible changes would mean for our users. |
|
sigstore 4.2.0 has now been released. |
…tensions pip-compile --generate-hashes --output-file=requirements.txt requirements.in --upgrade-package sigstore --upgrade-package pydantic --upgrade-package typing-extensions
|
Rebased and resolved conflicts. sigstore is up to 4.4.0, but I've left this on 4.0.0 for now. Can update here or in a follow up. |
Sorry, not sure if I ever responded to this anywhere 😅 The short version is that there should be no compatibility concerns for users -- the major version here reflects a change to sigstore-python's public APIs, not to the format of the Sigstore bundles themselves. |
|
@woodruffw Amazing, thank you for confirming! Let's move forward with upgrading the Sigstore CLI then. |
|
Thanks! Will merge this as-is, and we can get hopefully back on the Dependabot train for newer 4.x. |
Split out from #283.
cc @sethmlarson, @woodruffw
The flow here is:
run_release.pyis run on the release manager's machine. That pops open the sigstore auth page, and fetches an identity token.SIGSTORE_IDENTITY_TOKENenv var, for when the sigstore CLI is run byadd_to_pydotorg.pyon the downloads server, where the file signing happens.I can also give this a demo run with 3.15.0a1 next week.