Add support for Sigstore verification materials

[di]

This PR adds support for including the files that comprise Sigstore verification materials with CPython downloads. This is one of the last steps in the plan documented here.

This also fixes some small issues I ran into during the development process. moved to #2114

(cc @ewdurbin @pablogsal @Yhg1s)

[ewdurbin]

cc @python/python-release-managers, take a look if you're able before I merge this tomorrow.

[pablogsal]

Will this need changes to our upload script (https://github.com/python/release-tools/blob/master/add-to-pydotorg.py) ?

[di]

@pablogsal Looks like yes, I was unaware of that script, will make a PR to update it tomorrow.

[di]

(shouldn't block this PR though I think)

[di]

@pablogsal PR here: python/release-tools#17

[ewdurbin]

Was it determined that this won't break the existing release script? If so I'm good to merge!

[di]

Yes, the changes to the release script are to include the verification materials if they're present. As is, it just won't include them, but won't break.

[pablogsal]

@di Seems that we need some extra changes because after signing 3.10.7 with sigstore we ran into some problems:

https://www.python.org/downloads/release/python-3107/

If you click the sigstore cert it shows 403 Forbidden.

Also, unfortunately there was a NameError in the original changes for the release scripts:

python/release-tools#19

Also, seems that the automation is broken now because sigstore blocks until you paste some code from the auth and therefore this code here:

https://github.com/python/release-tools/blob/401afdec47eadf4b5f17a68f5bb87f4ca04a86d1/run_release.py#L720-L744

Doesn't work anymore. Sadly I will need to comment out the signing in the add_to_python_org.py script until that is fixed.

[ewdurbin]

Are the 403ing files on disk on the downloads backend host? Seems they must be being created with strict permissions?

[pablogsal]

Yeah, they are on disk. Seems that the changes in the release tools so far are not enough. The release script changes the permissions for the artifacts here:

https://github.com/python/release-tools/blob/401afdec47eadf4b5f17a68f5bb87f4ca04a86d1/run_release.py#L574-L578

So we need changes to the add_to_python_dot_org.py script to correctly change the permissions as well.

[pablogsal]

Given that this is impacting releases, I am reverting the sigstore changes in the repository until they are ready.

[pablogsal]

I also fixed manually the permissions for 3.10.7

[di]

Thanks, I filed python/release-tools#21 to capture what (I think) needs done to fix this.