-
Notifications
You must be signed in to change notification settings - Fork 618
Security information on the Downloads page needs to be updated to include sigstore and code signing info #2299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
I'm going to take the liberty of assigning this to @sethmlarson and cc the release managers @python/release-managers-in-development-maintenance-and-security-mode and @di. |
When this gets updated, can we have the following (subject to any changes in later discussion) added for Windows: (Updated for Azure Trusted Signing, which applies for all releases chronologically from 3.14.0a1) WindowsThe Windows installers and all binaries produced as part of each Python release are signed using an Authenticode signing certificate issued to the Python Software Foundation. This can be verified by viewing the properties of any executable file, looking at the Digital Signatures tab, and confirming the name of the signer. Our full certificate subject is Note that some executables may not be signed, notably, the default |
FWIW, we're going to flip over to Azure Trusted Signing soon instead of DigiCert, which is going to impact the above text. I'll need a week or two to figure out exactly what it should say - ATS does things a bit different from how signing certs have historically worked, and it'll need some explaining. |
Updated the above proposed text for our new signer. Since it seems nobody has any comments, @ned-deily could you insert that into whatever database entry makes it appear on the site? |
I've added the proposed text. It could be prettified when the section is edited to remove the PGP information. I will leave that for someone else or later. |
There is information related to user verification of Python release artifacts downloaded from python.org on the website Downloads page. Originally this info was about PGP keys and was later to expanded to include a bit about macOS installer certificates. With the introduction of
sigstore
signing to releases, this section of the page should be renamed and updated to emphasizesigstore
validation, de-emphasize PGP keys, and also include information about signing of Windows release artifacts.(The current information is maintained in the python.org admin CMS in the
downloads-pgp
box in theBoxes
section.)The text was updated successfully, but these errors were encountered: