diff --git a/python/3.11/Dockerfile b/python/3.11/Dockerfile index 9a3370e..e7be73a 100644 --- a/python/3.11/Dockerfile +++ b/python/3.11/Dockerfile @@ -4,11 +4,12 @@ FROM $BUILD_FROM ARG \ PYTHON_VERSION \ PIP_VERSION \ - GPG_KEY \ + CERT_IDENTITY \ + CERT_OIDC_ISSUER \ QEMU_CPU # ensure local python is preferred over distribution python -ENV PATH /usr/local/bin:$PATH +ENV PATH=/usr/local/bin:$PATH # Set shell SHELL ["/bin/ash", "-o", "pipefail", "-c"] @@ -17,19 +18,20 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - gnupg \ openssl \ tar \ xz \ + && apk add --no-cache --virtual .cosign cosign \ + --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ - && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \ - && gpg --batch --verify python.tar.xz.asc python.tar.xz \ - && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \ - && rm -rf "$GNUPGHOME" python.tar.xz.asc \ + && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ + && cosign verify-blob \ + --new-bundle-format \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + --bundle python.tar.xz.sigstore \ + python.tar.xz \ && mkdir -p /usr/src/python \ && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \ && rm python.tar.xz \ @@ -63,7 +65,7 @@ RUN set -ex \ zlib-dev \ bluez-dev \ # add build deps before removing fetch deps in case there's overlap - && apk del .fetch-deps \ + && apk del .fetch-deps .cosign \ \ && for i in /usr/src/*.patch; do \ patch -d /usr/src/python -p 1 < "${i}"; done \ diff --git a/python/3.11/build.yaml b/python/3.11/build.yaml index e860e1b..4ea009a 100644 --- a/python/3.11/build.yaml +++ b/python/3.11/build.yaml @@ -11,7 +11,8 @@ cosign: args: PYTHON_VERSION: 3.11.13 PIP_VERSION: 25.1.1 - GPG_KEY: A035C8C19219BA821ECEA86B64E628F8D684696D + CERT_IDENTITY: pablogsal@python.org + CERT_OIDC_ISSUER: https://accounts.google.com labels: io.hass.base.name: python org.opencontainers.image.source: https://github.com/home-assistant/docker-base diff --git a/python/3.12/Dockerfile b/python/3.12/Dockerfile index a209429..596c0da 100644 --- a/python/3.12/Dockerfile +++ b/python/3.12/Dockerfile @@ -4,11 +4,12 @@ FROM $BUILD_FROM ARG \ PYTHON_VERSION \ PIP_VERSION \ - GPG_KEY \ + CERT_IDENTITY \ + CERT_OIDC_ISSUER \ QEMU_CPU # ensure local python is preferred over distribution python -ENV PATH /usr/local/bin:$PATH +ENV PATH=/usr/local/bin:$PATH # Set shell SHELL ["/bin/ash", "-o", "pipefail", "-c"] @@ -17,19 +18,20 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - gnupg \ openssl \ tar \ xz \ + && apk add --no-cache --virtual .cosign cosign \ + --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ - && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \ - && gpg --batch --verify python.tar.xz.asc python.tar.xz \ - && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \ - && rm -rf "$GNUPGHOME" python.tar.xz.asc \ + && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ + && cosign verify-blob \ + --new-bundle-format \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + --bundle python.tar.xz.sigstore \ + python.tar.xz \ && mkdir -p /usr/src/python \ && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \ && rm python.tar.xz \ @@ -63,7 +65,7 @@ RUN set -ex \ zlib-dev \ bluez-dev \ # add build deps before removing fetch deps in case there's overlap - && apk del .fetch-deps \ + && apk del .fetch-deps .cosign \ \ && for i in /usr/src/*.patch; do \ patch -d /usr/src/python -p 1 < "${i}"; done \ diff --git a/python/3.12/build.yaml b/python/3.12/build.yaml index b0b5277..bb55898 100644 --- a/python/3.12/build.yaml +++ b/python/3.12/build.yaml @@ -11,7 +11,8 @@ cosign: args: PYTHON_VERSION: 3.12.11 PIP_VERSION: 25.1.1 - GPG_KEY: 7169605F62C751356D054A26A821E680E5FA6305 + CERT_IDENTITY: thomas@python.org + CERT_OIDC_ISSUER: https://accounts.google.com labels: io.hass.base.name: python org.opencontainers.image.source: https://github.com/home-assistant/docker-base diff --git a/python/3.13/Dockerfile b/python/3.13/Dockerfile index a209429..596c0da 100644 --- a/python/3.13/Dockerfile +++ b/python/3.13/Dockerfile @@ -4,11 +4,12 @@ FROM $BUILD_FROM ARG \ PYTHON_VERSION \ PIP_VERSION \ - GPG_KEY \ + CERT_IDENTITY \ + CERT_OIDC_ISSUER \ QEMU_CPU # ensure local python is preferred over distribution python -ENV PATH /usr/local/bin:$PATH +ENV PATH=/usr/local/bin:$PATH # Set shell SHELL ["/bin/ash", "-o", "pipefail", "-c"] @@ -17,19 +18,20 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - gnupg \ openssl \ tar \ xz \ + && apk add --no-cache --virtual .cosign cosign \ + --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ - && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \ - && gpg --batch --verify python.tar.xz.asc python.tar.xz \ - && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \ - && rm -rf "$GNUPGHOME" python.tar.xz.asc \ + && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ + && cosign verify-blob \ + --new-bundle-format \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + --bundle python.tar.xz.sigstore \ + python.tar.xz \ && mkdir -p /usr/src/python \ && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \ && rm python.tar.xz \ @@ -63,7 +65,7 @@ RUN set -ex \ zlib-dev \ bluez-dev \ # add build deps before removing fetch deps in case there's overlap - && apk del .fetch-deps \ + && apk del .fetch-deps .cosign \ \ && for i in /usr/src/*.patch; do \ patch -d /usr/src/python -p 1 < "${i}"; done \ diff --git a/python/3.13/build.yaml b/python/3.13/build.yaml index a11bc52..c8cb688 100644 --- a/python/3.13/build.yaml +++ b/python/3.13/build.yaml @@ -11,7 +11,8 @@ cosign: args: PYTHON_VERSION: 3.13.4 PIP_VERSION: 25.1.1 - GPG_KEY: 7169605F62C751356D054A26A821E680E5FA6305 + CERT_IDENTITY: thomas@python.org + CERT_OIDC_ISSUER: https://accounts.google.com labels: io.hass.base.name: python org.opencontainers.image.source: https://github.com/home-assistant/docker-base