PEP 761 -- Deprecating PGP signatures for CPython artifacts

[sethmlarson]

Please consider PEP 761 -- Deprecating PGP signatures for CPython artifacts
https://peps.python.org/pep-0761/

• The PEP has been discussed in threads listed in its Post-History header
• The PEP was announced on Discuss (link in Post-History)
• The PEP includes all relevant Suggested Sections
• The PEP includes endorsements from the projects/groups/people it helps
  • Endorsed by release managers for 3.8, 3.9, 3.14, and 3.14.next (Hugo is also the PEP sponsor) who are the primary benefactors of this PEP.
  • Note that downstream verifiers of signatures necessarily need to do additional work as a result of this PEP, usually to adopt Cosign but also to package the "root of trust" if offline verification is needed. This PEP gives a way to extend the timeline if the schedule is too disruptive.
  • Container image builders (Docker, Heroku Buildpack) have shared that it's possible to verify and would be easier with support from Linux distros (Debian is outstanding, Alpine already supports Sigstore). Docker already has a POC for Sigstore verification.
• The PEP has a CODEOWNERS entry

[gpshead]

✅ The Steering Council approves PEP-761. 🎈