Do Sigstore Verification For Python TarBall #764
Labels
feature request
New feature or request to improve the current logic
Comments
sbs2001
added
feature request
|
Hello @sbs2001. Thank you four your feature request. We'll investigate it and reach to you with our decision. |
|
@dmitry-shibanov thanks ! |
|
This would be awesome to see, setup-python would be a great consumer of such information since the number of users this action sees is likely astronomical. I've recently done an audit of existing Sigstore signatures and found them to be consistent as documented and have backfilled @dmitry-shibanov It would be great to see this implemented, I'm happy to provide guidance if needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
Verify sigstore signatures of python releases at https://github.com/actions/python-versions
Python releases are signed via Sigstore .
Github also announced to increasingly adopt sigstore
Justification:
If we verify the signatures for the downloaded python releases, the supply chain security would be greatly improved.
Are you willing to submit a PR?
Yes ! I would really love to do it.
The text was updated successfully, but these errors were encountered: