From eaa8ae2efbe27e25e918875fc3797252a7de603b Mon Sep 17 00:00:00 2001 From: Marc Mueller <30130371+cdce8p@users.noreply.github.com> Date: Wed, 4 Jun 2025 12:33:44 +0200 Subject: [PATCH 1/3] Use sigstore for Python artifact verification --- python/3.11/Dockerfile | 18 +++++++++--------- python/3.11/build.yaml | 3 ++- python/3.12/Dockerfile | 18 +++++++++--------- python/3.12/build.yaml | 3 ++- python/3.13/Dockerfile | 18 +++++++++--------- python/3.13/build.yaml | 3 ++- 6 files changed, 33 insertions(+), 30 deletions(-) diff --git a/python/3.11/Dockerfile b/python/3.11/Dockerfile index 9a3370e1..b4566389 100644 --- a/python/3.11/Dockerfile +++ b/python/3.11/Dockerfile @@ -4,7 +4,8 @@ FROM $BUILD_FROM ARG \ PYTHON_VERSION \ PIP_VERSION \ - GPG_KEY \ + CERT_IDENTITY \ + CERT_OIDC_ISSUER \ QEMU_CPU # ensure local python is preferred over distribution python @@ -17,19 +18,18 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - gnupg \ + cosign \ openssl \ tar \ xz \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ - && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \ - && gpg --batch --verify python.tar.xz.asc python.tar.xz \ - && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \ - && rm -rf "$GNUPGHOME" python.tar.xz.asc \ + && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ + && cosign verify-blob \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + --bundle python.tar.xz.sigstore \ + python.tar.xz \ && mkdir -p /usr/src/python \ && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \ && rm python.tar.xz \ diff --git a/python/3.11/build.yaml b/python/3.11/build.yaml index 69dfbcb9..28ea1aca 100644 --- a/python/3.11/build.yaml +++ b/python/3.11/build.yaml @@ -11,7 +11,8 @@ cosign: args: PYTHON_VERSION: 3.11.12 PIP_VERSION: 25.0.1 - GPG_KEY: A035C8C19219BA821ECEA86B64E628F8D684696D + CERT_IDENTITY: pablogsal@python.org + CERT_OIDC_ISSUER: https://accounts.google.com labels: io.hass.base.name: python org.opencontainers.image.source: https://github.com/home-assistant/docker-base diff --git a/python/3.12/Dockerfile b/python/3.12/Dockerfile index a2094295..6ecf75f4 100644 --- a/python/3.12/Dockerfile +++ b/python/3.12/Dockerfile @@ -4,7 +4,8 @@ FROM $BUILD_FROM ARG \ PYTHON_VERSION \ PIP_VERSION \ - GPG_KEY \ + CERT_IDENTITY \ + CERT_OIDC_ISSUER \ QEMU_CPU # ensure local python is preferred over distribution python @@ -17,19 +18,18 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - gnupg \ + cosign \ openssl \ tar \ xz \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ - && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \ - && gpg --batch --verify python.tar.xz.asc python.tar.xz \ - && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \ - && rm -rf "$GNUPGHOME" python.tar.xz.asc \ + && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ + && cosign verify-blob \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + --bundle python.tar.xz.sigstore \ + python.tar.xz \ && mkdir -p /usr/src/python \ && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \ && rm python.tar.xz \ diff --git a/python/3.12/build.yaml b/python/3.12/build.yaml index b29d3e2f..67830ab4 100644 --- a/python/3.12/build.yaml +++ b/python/3.12/build.yaml @@ -11,7 +11,8 @@ cosign: args: PYTHON_VERSION: 3.12.10 PIP_VERSION: 25.0.1 - GPG_KEY: 7169605F62C751356D054A26A821E680E5FA6305 + CERT_IDENTITY: thomas@python.org + CERT_OIDC_ISSUER: https://accounts.google.com labels: io.hass.base.name: python org.opencontainers.image.source: https://github.com/home-assistant/docker-base diff --git a/python/3.13/Dockerfile b/python/3.13/Dockerfile index a2094295..6ecf75f4 100644 --- a/python/3.13/Dockerfile +++ b/python/3.13/Dockerfile @@ -4,7 +4,8 @@ FROM $BUILD_FROM ARG \ PYTHON_VERSION \ PIP_VERSION \ - GPG_KEY \ + CERT_IDENTITY \ + CERT_OIDC_ISSUER \ QEMU_CPU # ensure local python is preferred over distribution python @@ -17,19 +18,18 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - gnupg \ + cosign \ openssl \ tar \ xz \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ - && curl -L -o python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${GPG_KEY}" \ - && gpg --batch --verify python.tar.xz.asc python.tar.xz \ - && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \ - && rm -rf "$GNUPGHOME" python.tar.xz.asc \ + && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ + && cosign verify-blob \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + --bundle python.tar.xz.sigstore \ + python.tar.xz \ && mkdir -p /usr/src/python \ && tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \ && rm python.tar.xz \ diff --git a/python/3.13/build.yaml b/python/3.13/build.yaml index fd0f5a94..124c3841 100644 --- a/python/3.13/build.yaml +++ b/python/3.13/build.yaml @@ -11,7 +11,8 @@ cosign: args: PYTHON_VERSION: 3.13.3 PIP_VERSION: 25.0.1 - GPG_KEY: 7169605F62C751356D054A26A821E680E5FA6305 + CERT_IDENTITY: thomas@python.org + CERT_OIDC_ISSUER: https://accounts.google.com labels: io.hass.base.name: python org.opencontainers.image.source: https://github.com/home-assistant/docker-base From 882a4b872ae2d5e1f45ffd776b5cc565f6bd6b6d Mon Sep 17 00:00:00 2001 From: Marc Mueller <30130371+cdce8p@users.noreply.github.com> Date: Wed, 4 Jun 2025 12:34:21 +0200 Subject: [PATCH 2/3] Fix dockerfile warning --- python/3.11/Dockerfile | 2 +- python/3.12/Dockerfile | 2 +- python/3.13/Dockerfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/python/3.11/Dockerfile b/python/3.11/Dockerfile index b4566389..4ba586eb 100644 --- a/python/3.11/Dockerfile +++ b/python/3.11/Dockerfile @@ -9,7 +9,7 @@ ARG \ QEMU_CPU # ensure local python is preferred over distribution python -ENV PATH /usr/local/bin:$PATH +ENV PATH=/usr/local/bin:$PATH # Set shell SHELL ["/bin/ash", "-o", "pipefail", "-c"] diff --git a/python/3.12/Dockerfile b/python/3.12/Dockerfile index 6ecf75f4..639e7122 100644 --- a/python/3.12/Dockerfile +++ b/python/3.12/Dockerfile @@ -9,7 +9,7 @@ ARG \ QEMU_CPU # ensure local python is preferred over distribution python -ENV PATH /usr/local/bin:$PATH +ENV PATH=/usr/local/bin:$PATH # Set shell SHELL ["/bin/ash", "-o", "pipefail", "-c"] diff --git a/python/3.13/Dockerfile b/python/3.13/Dockerfile index 6ecf75f4..639e7122 100644 --- a/python/3.13/Dockerfile +++ b/python/3.13/Dockerfile @@ -9,7 +9,7 @@ ARG \ QEMU_CPU # ensure local python is preferred over distribution python -ENV PATH /usr/local/bin:$PATH +ENV PATH=/usr/local/bin:$PATH # Set shell SHELL ["/bin/ash", "-o", "pipefail", "-c"] From a4a72cee6cd45e2bb4e75e2529f52385fddbee2f Mon Sep 17 00:00:00 2001 From: Marc Mueller <30130371+cdce8p@users.noreply.github.com> Date: Thu, 5 Jun 2025 22:56:27 +0200 Subject: [PATCH 3/3] Install cosign 2.4.1 or later --- python/3.11/Dockerfile | 6 ++++-- python/3.12/Dockerfile | 6 ++++-- python/3.13/Dockerfile | 6 ++++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/python/3.11/Dockerfile b/python/3.11/Dockerfile index 4ba586eb..e7be73ab 100644 --- a/python/3.11/Dockerfile +++ b/python/3.11/Dockerfile @@ -18,14 +18,16 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - cosign \ openssl \ tar \ xz \ + && apk add --no-cache --virtual .cosign cosign \ + --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ && cosign verify-blob \ + --new-bundle-format \ --certificate-identity "${CERT_IDENTITY}" \ --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ --bundle python.tar.xz.sigstore \ @@ -63,7 +65,7 @@ RUN set -ex \ zlib-dev \ bluez-dev \ # add build deps before removing fetch deps in case there's overlap - && apk del .fetch-deps \ + && apk del .fetch-deps .cosign \ \ && for i in /usr/src/*.patch; do \ patch -d /usr/src/python -p 1 < "${i}"; done \ diff --git a/python/3.12/Dockerfile b/python/3.12/Dockerfile index 639e7122..596c0da1 100644 --- a/python/3.12/Dockerfile +++ b/python/3.12/Dockerfile @@ -18,14 +18,16 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - cosign \ openssl \ tar \ xz \ + && apk add --no-cache --virtual .cosign cosign \ + --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ && cosign verify-blob \ + --new-bundle-format \ --certificate-identity "${CERT_IDENTITY}" \ --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ --bundle python.tar.xz.sigstore \ @@ -63,7 +65,7 @@ RUN set -ex \ zlib-dev \ bluez-dev \ # add build deps before removing fetch deps in case there's overlap - && apk del .fetch-deps \ + && apk del .fetch-deps .cosign \ \ && for i in /usr/src/*.patch; do \ patch -d /usr/src/python -p 1 < "${i}"; done \ diff --git a/python/3.13/Dockerfile b/python/3.13/Dockerfile index 639e7122..596c0da1 100644 --- a/python/3.13/Dockerfile +++ b/python/3.13/Dockerfile @@ -18,14 +18,16 @@ COPY *.patch /usr/src/ RUN set -ex \ && export PYTHON_VERSION=${PYTHON_VERSION} \ && apk add --no-cache --virtual .fetch-deps \ - cosign \ openssl \ tar \ xz \ + && apk add --no-cache --virtual .cosign cosign \ + --repository="https://dl-cdn.alpinelinux.org/alpine/v3.21/community" \ \ && curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ && curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \ && cosign verify-blob \ + --new-bundle-format \ --certificate-identity "${CERT_IDENTITY}" \ --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ --bundle python.tar.xz.sigstore \ @@ -63,7 +65,7 @@ RUN set -ex \ zlib-dev \ bluez-dev \ # add build deps before removing fetch deps in case there's overlap - && apk del .fetch-deps \ + && apk del .fetch-deps .cosign \ \ && for i in /usr/src/*.patch; do \ patch -d /usr/src/python -p 1 < "${i}"; done \