use cosign

Author: mayeut

docker/Dockerfile

@@ -107,12 +107,15 @@ RUN export MPDECIMAL_ROOT=mpdecimal-4.0.0 && \
     manylinux-entrypoint /build_scripts/build-mpdecimal.sh
 
 
+FROM --platform=${BUILDPLATFORM} ghcr.io/sigstore/cosign/cosign:v2.4.2 AS cosign-bin
+
 FROM build_base AS build_cpython_system_ssl
 COPY --from=build_tcl_tk /manylinux-buildfs /
 COPY --from=build_mpdecimal /manylinux-buildfs /
 COPY --from=build_sqlite3 /manylinux-buildfs /
 COPY build_scripts/build-cpython.sh /build_scripts/
 RUN if command -v apk >/dev/null 2>&1; then ldconfig /; else ldconfig; fi
+COPY --from=cosign-bin /ko-app/cosign /usr/local/bin/cosign
 
 FROM build_cpython_system_ssl AS build_cpython
 COPY build_scripts/build-openssl.sh /build_scripts/
@@ -123,36 +126,28 @@ RUN export OPENSSL_ROOT=openssl-3.0.15 && \
 
 
 FROM build_cpython_system_ssl AS build_cpython37
-COPY build_scripts/cpython-pubkeys.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.7.17
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://github.com/login/oauth 3.7.17
 
 FROM build_cpython AS build_cpython38
-COPY build_scripts/ambv-pubkey.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.8.20
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://github.com/login/oauth 3.8.20
 
 FROM build_cpython AS build_cpython39
-COPY build_scripts/ambv-pubkey.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.9.21
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://github.com/login/oauth 3.9.21
 
 FROM build_cpython AS build_cpython310
-COPY build_scripts/cpython-pubkey-310-311.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.10.16
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.10.16
 
 FROM build_cpython AS build_cpython311
-COPY build_scripts/cpython-pubkey-310-311.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.11.11
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.11.11
 
 FROM build_cpython AS build_cpython312
-COPY build_scripts/cpython-pubkey-312-313.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.12.9
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.12.9
 
 FROM build_cpython AS build_cpython313
-COPY build_scripts/cpython-pubkey-312-313.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.13.2
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.13.2
 
 FROM build_cpython AS build_cpython313_nogil
-COPY build_scripts/cpython-pubkey-312-313.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.13.2 nogil
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.13.2 nogil
 
 
 FROM runtime_base

docker/build_scripts/ambv-pubkey.txt

@@ -12,7 +12,9 @@ MY_DIR=$(dirname "${BASH_SOURCE[0]}")
 source "${MY_DIR}/build_utils.sh"
 
 
-CPYTHON_VERSION=$1
+CERT_IDENTITY=$1
+CERT_OIDC_ISSUER=$2
+CPYTHON_VERSION=$3
 CPYTHON_DOWNLOAD_URL=https://www.python.org/ftp/python
 
 
@@ -26,17 +28,18 @@ function pyver_dist_dir {
 
 CPYTHON_DIST_DIR=$(pyver_dist_dir "${CPYTHON_VERSION}")
 fetch_source "Python-${CPYTHON_VERSION}.tar.xz" "${CPYTHON_DOWNLOAD_URL}/${CPYTHON_DIST_DIR}"
-fetch_source "Python-${CPYTHON_VERSION}.tar.xz.asc" "${CPYTHON_DOWNLOAD_URL}/${CPYTHON_DIST_DIR}"
-gpg --import "${MY_DIR}/cpython-pubkeys.txt"
-gpg --verify "Python-${CPYTHON_VERSION}.tar.xz.asc"
+fetch_source "Python-${CPYTHON_VERSION}.tar.xz.sigstore" "${CPYTHON_DOWNLOAD_URL}/${CPYTHON_DIST_DIR}"
+cosign  verify-blob "Python-${CPYTHON_VERSION}.tar.xz" --bundle "Python-${CPYTHON_VERSION}.tar.xz.sigstore" --certificate-identity="${CERT_IDENTITY}" --certificate-oidc-issuer="${CERT_OIDC_ISSUER}"
+
+
 tar -xJf "Python-${CPYTHON_VERSION}.tar.xz"
 pushd "Python-${CPYTHON_VERSION}"
 PREFIX="/opt/_internal/cpython-${CPYTHON_VERSION}"
 mkdir -p "${PREFIX}/lib"
 CFLAGS_EXTRA=""
 CONFIGURE_ARGS=(--disable-shared --with-ensurepip=no)
 
-if [ "${2:-}" == "nogil" ]; then
+if [ "${4:-}" == "nogil" ]; then
 	PREFIX="${PREFIX}-nogil"
 	CONFIGURE_ARGS+=(--disable-gil)
 fi
@@ -55,7 +58,7 @@ fi
 SQLITE_PREFIX=$(find /opt/_internal -maxdepth 1 -name 'sqlite*')
 if [ "${SQLITE_PREFIX}" != "" ]; then
 	case "${CPYTHON_VERSION}" in
-		3.6.*|3.7.*|3.8.*|3.9.*|3.10.*) sed -i "s|/usr/local/include/sqlite3|/opt/_internal/sqlite3/include|g ; s|sqlite_extra_link_args = ()|sqlite_extra_link_args = ('-Wl,--enable-new-dtags,-rpath=/opt/_internal/sqlite3/lib',)|g" setup.py;;
+		3.7.*|3.8.*|3.9.*|3.10.*) sed -i "s|/usr/local/include/sqlite3|/opt/_internal/sqlite3/include|g ; s|sqlite_extra_link_args = ()|sqlite_extra_link_args = ('-Wl,--enable-new-dtags,-rpath=/opt/_internal/sqlite3/lib',)|g" setup.py;;
 		*) ;;
 	esac
 fi
@@ -84,7 +87,7 @@ fi
 make > /dev/null
 make install > /dev/null
 popd
-rm -rf "Python-${CPYTHON_VERSION}" "Python-${CPYTHON_VERSION}.tgz" "Python-${CPYTHON_VERSION}.tgz.asc"
+rm -rf "Python-${CPYTHON_VERSION}" "Python-${CPYTHON_VERSION}.tar.xz" "Python-${CPYTHON_VERSION}.tar.xz.sigstore"
 
 if [ "${OPENSSL_PREFIX}" != "" ]; then
 	rm -rf "${OPENSSL_PREFIX:?}/bin" "${OPENSSL_PREFIX}/include" "${OPENSSL_PREFIX}/lib/pkgconfig" "${OPENSSL_PREFIX}/lib/*.so"