Cosign has a new experimental package available for Debian thanks to the work of Simon Josefsson. Simon and I had an email exchange about Sigstore and Cosign on Debian after the discussion about PEP 761 (Deprecation and discontinuation of PGP signatures).
Debian and other downstream distros of Python and Python packages are incredibly important consumers of verification materials. Because these distros actually verify materials for every build of a package, this increases the confidence for other users using these same artifacts even without those users directly verifying the materials themselves. We need more actors in the ecosystem doing end-to-end verification to dissuade attackers from supply-chain attacks targeting artifact repositories like python.org and PyPI.
Trying Cosign in Docker
I gave the experimental package a try using the Debian Docker image to verify CPython 3.14.0-alpha2's tarball and verification materials:
$ docker run --rm -it debian:bookworm
# Install the basics for later use.
apt-get install ca-certificates wget
# Add Simon's experimental package repo# and install Cosign! :party:
$ echo"deb [trusted=yes] https://salsa.debian.org/jas/cosign/-/jobs/6682245/artifacts/raw/aptly experimental main"|\
tee --append /etc/apt/sources.list.d/add.list
$ apt-get update
$ apt-get install cosign
$ cosign version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / ||| / _____||\ ||| ,----'| | | | | (----`| | | | __ | \| || | | | | | \ \ | | | | |_ | | . ` || `----.| `--'| .----)|||||__||||\ |\______|\______/ |_______/ |__|\______||__|\__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
Now we can test Cosign out with CPython's artifacts. We expect Hugo van Kemenade (hugo@python.org) as the
release manager for Python 3.14:
# Download the source and Sigstore bundle
$ wget https://www.python.org/ftp/python/3.14.0/Python-3.14.0a2.tgz
$ wget https://www.python.org/ftp/python/3.14.0/Python-3.14.0a2.tgz.sigstore
# Verify with Cosign!
$ cosign verify-blob \
--certificate-identity hugo@python.org \
--certificate-oidc-issuer https://github.com/login/oauth \
--bundle ./Python-3.14.0a2.tgz.sigstore \
--new-bundle-format \
./Python-3.14.0a2.tgz
Verified OK
Overall, this is working as expected from my point-of-view! Simon had a few open questions mostly for Cosign's upstream project. I am hopeful that this means we'll begin seeing Sigstore bundles and their derivatives (such as attestations from the Python Package Index) be used for downstream verification by distros like Debian. Exciting times ahead!
New Bundle Format
My first attempt didn't include the --new-bundle-format option and that resulted in an opaque error.
Hopefully this user-experience issue will be phased out and Cosign will "default" to the new bundle format?
I included this error strictly for folks searching for this error message and wanting to fix their issue.
Error: bundle does not contain cert for verification, please provide public key
main.go:74: error during command execution: bundle does not contain cert for verification, please provide public key
This critical role would not be possible without funding from the Alpha-Omega project.
︎Have thoughts or questions? Let's chat over email or social:
sethmichaellarson@gmail.com@sethmlarson@fosstodon.orgWant more articles like this one? Get notified of new posts by subscribing to the RSS feed or the email newsletter. I won't share your email or send spam, only whatever this is!
Want more content now? This blog's archive has ready-to-read articles. I also curate a list of cool URLs I find on the internet.
Find a typo?This blog is open source, pull requests are appreciated.
Thanks for reading!♡ This work is licensed under CC BY-SA 4.0
