sigstore 4.0 upgrade details

[jku]

Filing as heads up: The sigstore-python 4.0 upgrade is a bit more complicated since there are related service changes. I'll add more details here in next day or two but short story is:

• sigstore-python 4.0 contains support for rekor v2 transparency log
• rekor v2 is not yet fully deployed on the public good instance (sigstore.dev) but once it is, sigstore-python 4.0 will start using it (by default) when signing. There is no strict deadline for full deployment but a couple of months is a good guess (the rekor v1 instance will remain usable even after that)
• verifying signature bundles (that were produced with rekor v2) requires sigstore-python 4.0 (or another sigstore client with rekorv2 support)

sigstore-python 3.6.x series is still maintained so there is no rush to upgrade here

[jku]

Update:

• next pypi-attestations release will use sigstore 4. It will explicitly disable rekor v2 even after Sigstore public good instance fully deploys it: this means upgrading to this pypi-attestations release should be a non-event as the produced attestations do not change ... That said, I think the safest path is always to upgrade the verifying end (warehouse) first, then the signing component
• At some later point a future pypi-attestations release will enable using rekor v2: this will change the produced attestations so Warehouse definitely needs to be upgraded before this action

[webknjaz]

Thanks for tracking the updates! I assume @facutuesca / @woodruffw will be the ones updating Warehouse? Does that repo have a tracking issue?

[facutuesca]

The new pypi-attestations that uses sigstore>=4 is now released: https://pypi.org/project/pypi-attestations/0.0.28/

Here's the PR for warehouse: pypi/warehouse#18888

[jku]

I wrote an umbrella tracking issue since there are multiple projects involved: pypi/pypi-attestations#147