chore: use sigstore to verify CPython archives

CPython 3.14 won't include an OpenPGP signature.
Let's move to sigstore for CPython 3.7+

Author: mayeut

docker/Dockerfile

@@ -107,12 +107,15 @@ RUN export MPDECIMAL_ROOT=mpdecimal-4.0.0 && \
     manylinux-entrypoint /build_scripts/build-mpdecimal.sh
 
 
+FROM --platform=${BUILDPLATFORM} ghcr.io/sigstore/cosign/cosign:v2.4.2 AS cosign-bin
+
 FROM build_base AS build_cpython_system_ssl
 COPY --from=build_tcl_tk /manylinux-buildfs /
 COPY --from=build_mpdecimal /manylinux-buildfs /
 COPY --from=build_sqlite3 /manylinux-buildfs /
 COPY build_scripts/build-cpython.sh /build_scripts/
 RUN if command -v apk >/dev/null 2>&1; then ldconfig /; else ldconfig; fi
+COPY --from=cosign-bin /ko-app/cosign /usr/local/bin/cosign
 
 FROM build_cpython_system_ssl AS build_cpython
 COPY build_scripts/build-openssl.sh /build_scripts/
@@ -124,39 +127,31 @@ RUN export OPENSSL_ROOT=openssl-3.0.15 && \
 
 FROM build_cpython_system_ssl AS build_cpython36
 COPY build_scripts/cpython-pubkeys.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.6.15
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh "" "" 3.6.15
 
 FROM build_cpython_system_ssl AS build_cpython37
-COPY build_scripts/cpython-pubkeys.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.7.17
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://github.com/login/oauth 3.7.17
 
 FROM build_cpython AS build_cpython38
-COPY build_scripts/ambv-pubkey.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.8.20
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://github.com/login/oauth 3.8.20
 
 FROM build_cpython AS build_cpython39
-COPY build_scripts/ambv-pubkey.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.9.21
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://github.com/login/oauth 3.9.21
 
 FROM build_cpython AS build_cpython310
-COPY build_scripts/cpython-pubkey-310-311.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.10.16
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.10.16
 
 FROM build_cpython AS build_cpython311
-COPY build_scripts/cpython-pubkey-310-311.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.11.11
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.11.11
 
 FROM build_cpython AS build_cpython312
-COPY build_scripts/cpython-pubkey-312-313.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.12.9
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.12.9
 
 FROM build_cpython AS build_cpython313
-COPY build_scripts/cpython-pubkey-312-313.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.13.2
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.13.2
 
 FROM build_cpython AS build_cpython313_nogil
-COPY build_scripts/cpython-pubkey-312-313.txt /build_scripts/cpython-pubkeys.txt
-RUN manylinux-entrypoint /build_scripts/build-cpython.sh 3.13.2 nogil
+RUN manylinux-entrypoint /build_scripts/build-cpython.sh [email protected] https://accounts.google.com 3.13.2 nogil
 
 
 FROM runtime_base