Hi!
Seth reached out to us in PEP 761: Deprecating PGP signatures · Issue #1660 · heroku/heroku-buildpack-python · GitHub since we build Python binaries for use with both Heroku’s classic Python buildpack and the upcoming Python Cloud Native Buildpack.
This requires building all non-EOL Python major versions for all currently supported Ubuntu LTS releases, so that end users can use any permutation of Python version with all of Heroku’s supported stacks.
We currently verify the source archives using the PGP signatures, however, would be happy to switch to Sigstore so long as we have an easy way to bootstrap a Sigstore client.
I’m presuming our options would be to either:
- Use the distro system Python install to install sigstore · PyPI using pip.
- Or, wait for Debian to package Sigstore, Ubuntu to pick up the package, and for us to install it along with the other distro packages we already install.
- Or, download/use a standalone client such as GitHub - sigstore/sigstore-go: Go library for Sigstore signing and verification to avoid the system Python dependency.
It seems that (2) might be problematic since we’d also need support on older Ubuntu LTS releases such as Ubuntu 20.04, which I presume might not get any package additions? And for (3), sigstore-go doesn’t ship pre-built binaries, so would require a Go toolchain.
As such, it seems like (1) might be our only/best option?