In Fedora, we verify the GPG signatures of Python tarballs during the build. We do that namely to:
- avoid accidentally building from a bad tarball
- make it more visible if a malicious packager would like to tamper with the tarball[1]
We do this offline. It is not possible for us to do any sort of online verification during the build.
The current blockers for us to use sigstore:
- missing offline verification, as said by @mgorny
- it is written in Python and has a lot of dependencies
- including some questionable or problematic ones, like pyOpenSSL of certifi
- this makes packaging sigstore for Fedora generally harder, but not impossible
- this makes bootstrapping Python more complex (we might need to temporarily disable the verification until we can build sigstore with the new Python version[2][3])
They would still be able to replace the key we use to verify the signature with their own key, but unlike the tarballs, we store the key directly in our git, so it would be much harder to conceal this. ↩︎
Allowing a potential attacker to use this moment to slip in a malicious Python tarball that will be built and later used to run sigstore itself – possibly tampering with the results. ↩︎
Where “temporarily” might last weeks, given the number of dependencies (18 on Python 3.12, not counting the transitive build-time ones). ↩︎