This is informational post about CPython’s Sigstore bundles, no action is required from anyone at this time.
Today PSF infrastructure engineer @JacobCoffee and I ran a script which migrated CPython Sigstore bundles (.sigstore) from a format which didn’t contain checkpoint values to ones that do. The now specified Sigstore bundle format requires these checkpoint values be present. The bundles were always valid (ie: verified for the proper release manager identity) but newer Sigstore tools would complain that the Sigstore bundle was the incorrect format.
This operation didn’t require any re-signing of artifacts, only capturing the checkpoint value into the bundle using an official Sigstore CLI feature for repairing old Sigstore bundles. This Sigstore CLI feature was developed for and tested specifically on our Sigstore bundles. Release managers were notified that this would occur ahead of time and given a chance to review the script.
These “malformed” bundles existed at all because CPython adopted Sigstore tooling that emitted bundles before the bundle format had standardized. This meant that newer Sigstore tools started to expect the standardized bundle format.
Malformed Sigstore bundles should not longer be generated by release tooling, so we won’t have to do this migration again. This is expected to be a one-time exercise to fix all of the existing Sigstore bundles that had already been generated.
If anyone has questions you can ask them here, happy to answer!