Migrate to/back-fill Sigstore bundles for Python releases

[sethmlarson]

Sigstore bundles is the new way to distribute verification materials which is better for verifiers because it allows for offline verification. Many older Python releases don't have bundles, but we can create the bundles from the existing verification materials.

I've created a script which creates a bundle from existing materials. We can then publish these new verification materials after independently verifying them against existing artifacts.

After all releases have a bundle associated with them we can update the Sigstore documentation to use bundles for verification instead of disconnected verification materials.

[sethmlarson]

I've created an archive of bundles from existing verification materials here: bundles.tar.gz

This should be independently verified by a release manager and if found to be valid for each artifact we can upload the new bundles for existing releases.

Hashes of the generated bundles in the archive are:

4273ef96528d358b57794c35a664d7645eaccfa9a1090e84e6cd90db07da96e1  Python-3.12.0a3.tgz.sigstore
8d5e3b3ee3c5f489ad4c07fb541d5d2b323c44cefb8e0d72ecd6fd2e9271394d  Python-3.12.0a5.tar.xz.sigstore
4fdd6387c49f3695a54c297b448ac3e294e8285679c8950c33b0069369fd44ea  Python-3.12.0a6.tgz.sigstore
6392522692bfaa2c76989434be202842ff054ec1356b48e6eba767e71bc1341f  Python-3.11.1.tgz.sigstore
9b1ce1128be53a72fbe9f57dccb55b33f9eee87b6a9b461bb39a7f5e7fc7323c  Python-3.9.16.tar.xz.sigstore
91c110421a33f619e0fcfa47ae0bd609ab3ecd9736f5d86765ace990e5defe9a  Python-3.10.8.tar.xz.sigstore
414de5a8ec9a1a834c369e3c2cf4241e736bad34d2886a512211bd42315753a0  Python-3.12.0a1.tgz.sigstore
bb9f22e52998e4009fdd1fdd6b9111391cf04bff38dcda0a54505977b376e8b3  Python-3.11.0.tar.xz.sigstore
267db87ba6eabcf3f491b6ef565191f3ff15d87c8bb9a0902d48fd1fb751591a  Python-3.12.0a3.tar.xz.sigstore
25ee4b50ffc68660e2f8f3bd559b1ef9cc3c115ea60ace60223c8ae591ee066b  Python-3.11.2.tar.xz.sigstore
33fe53718d107e86a35e7af63033d3b5262f997d083d6ad2d9c7041602eea522  Python-3.12.0a4.tar.xz.sigstore
c195204149e40a5c385da10f35e70f9d0fa101fd30c8bbdc68406c31ac0d333d  Python-3.12.0a2.tar.xz.sigstore
38b750b67d6e71ed741ffcf0f748720574b1d77c915cb0709050c9d9b9c28988  Python-3.8.14.tar.xz.sigstore
056d74223954d90930562196642ef022b7292b7de164eab5fc421501d09f8ccd  Python-3.8.16.tgz.sigstore
87739cd44541110df122b38b0f08f3f6e2d43f081302b2e647a8fa4f3f4b9b9d  Python-3.11.2.tgz.sigstore
cc058894c05c1d3a9b7cc52a040176015707a80badf35f1d014bf91bd767d56a  Python-3.9.14.tar.xz.sigstore
b4236f0a4f389f52e485f9530aba88f76dd89c60609170ac517713e169b8fafa  Python-3.8.14.tgz.sigstore
e92ab4f9ce7d538255c6316f549b37131d14663297dde9f8fa77b49dff1bdf6f  Python-3.10.8.tgz.sigstore
f4941f800098a1d93b3116242c1e8bff44be0a855ad73d6788b5a81ec794881f  Python-3.9.16.tgz.sigstore
c82e9c988d2d0a1f319e141c587692b96d598342831cb15aeb43304e99dea00e  Python-3.10.10.tgz.sigstore
60f1f5eb8711d2e497b396c7be799ec77a4e2b7370a3f86af4f2ee57b0511e1c  Python-3.11.1.tar.xz.sigstore
c67e04ba6ea9f65b437b58d6ec7bd8e50befe1b623e88a8a0980ae3b36682647  Python-3.12.0a6.tar.xz.sigstore
22446376bb64a627f5e4ec5ed61e8325405a6ee278fd9c114034358dfe2afd5b  Python-3.10.9.tar.xz.sigstore
ae0b6d812ba9937251fdf4dbd77b4fe537120c32a11c61469f072b3f3ac01977  Python-3.8.15.tar.xz.sigstore
db7e022651be2da010a29786983b27fcb22e828c71265a84a56c0b8f07c4598c  Python-3.12.0a4.tgz.sigstore
11b6e0745797d740f92b51c2ff51de83eee6ce87b2b51b5963757df7bc06c89c  Python-3.9.15.tar.xz.sigstore
95085269892e362bf1a0a0a0df46d249477d927fd496ef22b9727ae001c17032  Python-3.7.16.tgz.sigstore
92b15e174b752cfd400f31e6d56b91b3749f4e20938da2866ad8f938c20999d8  Python-3.12.0a1.tar.xz.sigstore
a39d89c6e0f7cb4710dd0176fbb361b553ddf6902645a209d92d3b4f17d902b6  Python-3.11.0.tgz.sigstore
402c6032500f1ec94a79339bbc2dbdb5a625ce3db85e70168240e7e1330ade7f  Python-3.10.7.tar.xz.sigstore
1786564ea115d94f3a30b45930dd6c40a293fedb488323a42e4c135cffe234d4  Python-3.7.15.tar.xz.sigstore
225ca9fe444511c4fea8625f39ffb2154b12a0f8aa748273e890a2916432eb84  Python-3.12.0a5.tgz.sigstore
1cfe0bbe8a4ad15ee27dd52e7924d115750211aa75758a787ccfa309e0965141  Python-3.9.14.tgz.sigstore
59a78b4a36b547a10822837c0a1ebd0d028d77aa70bf3608a300224838b67e18  Python-3.7.16.tar.xz.sigstore
6c0040ffadb1475055c4e72f9380d8fd7825017b9618ad4d2a20c627094b8190  Python-3.10.9.tgz.sigstore
37b55896cc3a14eb8a6866a4935c0031e368acce0a1a9d68f4a36c6d4ab229d2  Python-3.11.0rc2.tar.xz.sigstore
aa5b8cecf9b2d86d2cee596b21a500d121930c5f96e8748ba9821a8cc680ffc7  Python-3.10.7.tgz.sigstore
3313555f1743967647f81de737d99fd1f3c14ba0d0245b2119119360256e2cc1  Python-3.7.15.tgz.sigstore
bc3995d7bba717af826204a04bf7cbb23e8a44b3d3879d9c858c0dea54e3061a  Python-3.12.0a2.tgz.sigstore
8ba9c17b8322d2e50356d6f706bd6da569b789371eefd443e6651f36f2d1f056  Python-3.10.10.tar.xz.sigstore
693cd26cb83a7ec3ac16a956cb6f54035d4d04e0851401f7bfb59cc29ea50e7d  Python-3.8.15.tgz.sigstore
760e5264cb7dd9d5d6afc66c33526c5c5d8d2dd0cd584d0699ba421ccae9097c  Python-3.8.16.tar.xz.sigstore
344484381afeebff8a7f0b8aa89f82a9aefcf3a757d9262d50ecc0288892ff41  Python-3.9.15.tgz.sigstore
78a9d592c6e7092f7ced064d2d6e70a5daf9c5042ddf6d6f67b1aefe9df750a3  Python-3.11.0rc2.tgz.sigstore

[sethmlarson]

Related:

• Security information on the Downloads page needs to be updated to include sigstore and code signing info #2299
• Sigstore documentation doesn't have example for .sigstore bundles #2285

[sethmlarson]

Verified the backfills were correct here: sethmlarson/verify-python-release-signatures@10a10da