From e46e41c223a054e33e6a48d6700e9eabcdd18f92 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 15 Oct 2025 10:04:50 +0300 Subject: [PATCH 1/3] Refactor Sigstore version check to be testable --- run_release.py | 12 ++++++++---- tests/test_run_release.py | 21 +++++++++++++++++++++ 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/run_release.py b/run_release.py index 74b43965..76e67971 100755 --- a/run_release.py +++ b/run_release.py @@ -363,13 +363,17 @@ def check_sigstore_client(db: ReleaseShelf) -> None: ) _, stdout, _ = client.exec_command("python3 -m sigstore --version") sigstore_version = stdout.read(1000).decode() - sigstore_vermatch = re.match("^sigstore ([0-9.]+)", sigstore_version) - if not sigstore_vermatch or tuple( - int(part) for part in sigstore_vermatch.group(1).split(".") + check_sigstore_version(sigstore_version) + + +def check_sigstore_version(version: str) -> None: + version_match = re.match("^sigstore ([0-9.]+)", version) + if not version_match or tuple( + int(part) for part in version_match.group(1).split(".") ) < (3, 5): raise ReleaseException( f"Sigstore version not detected or not valid. " - f"Expecting 3.5.x or later: {sigstore_version}" + f"Expecting 3.5.x or later: {version}" ) diff --git a/tests/test_run_release.py b/tests/test_run_release.py index 4b73b7f2..fae3eac8 100644 --- a/tests/test_run_release.py +++ b/tests/test_run_release.py @@ -11,6 +11,27 @@ from release import ReleaseShelf, Tag +@pytest.mark.parametrize( + "version", + ["sigstore 3.5.0", "sigstore 4.0.0"], +) +def test_check_sigstore_version_success(version) -> None: + # Verify runs with no exceptions + run_release.check_sigstore_version(version) + + +@pytest.mark.parametrize( + "version", + ["sigstore 2.0.0", "sigstore 3.4.0", ""], +) +def test_check_sigstore_version_exception(version) -> None: + with pytest.raises( + run_release.ReleaseException, + match="Sigstore version not detected or not valid", + ): + run_release.check_sigstore_version(version) + + @pytest.mark.parametrize( ["url", "expected"], [ From e598814336cb1051d2f7fbc5959a9ede3544f9bd Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 15 Oct 2025 10:48:52 +0300 Subject: [PATCH 2/3] Require Sigstore >= 3.6.2, < 4 --- run_release.py | 17 ++++++++++------- tests/test_run_release.py | 4 ++-- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/run_release.py b/run_release.py index 76e67971..b68e24fe 100755 --- a/run_release.py +++ b/run_release.py @@ -368,13 +368,16 @@ def check_sigstore_client(db: ReleaseShelf) -> None: def check_sigstore_version(version: str) -> None: version_match = re.match("^sigstore ([0-9.]+)", version) - if not version_match or tuple( - int(part) for part in version_match.group(1).split(".") - ) < (3, 5): - raise ReleaseException( - f"Sigstore version not detected or not valid. " - f"Expecting 3.5.x or later: {version}" - ) + if version_match: + version_tuple = tuple(int(part) for part in version_match.group(1).split(".")) + if (3, 6, 2) <= version_tuple < (4, 0): + # good version + return + + raise ReleaseException( + f"Sigstore version not detected or not valid. " + f"Expecting >= 3.6.2 and < 4.0.0, got: {version}" + ) def check_buildbots(db: ReleaseShelf) -> None: diff --git a/tests/test_run_release.py b/tests/test_run_release.py index fae3eac8..ab5e485f 100644 --- a/tests/test_run_release.py +++ b/tests/test_run_release.py @@ -13,7 +13,7 @@ @pytest.mark.parametrize( "version", - ["sigstore 3.5.0", "sigstore 4.0.0"], + ["sigstore 3.6.2", "sigstore 3.6.6"], ) def test_check_sigstore_version_success(version) -> None: # Verify runs with no exceptions @@ -22,7 +22,7 @@ def test_check_sigstore_version_success(version) -> None: @pytest.mark.parametrize( "version", - ["sigstore 2.0.0", "sigstore 3.4.0", ""], + ["sigstore 3.4.0", "sigstore 3.6.0", "sigstore 4.0.0", ""], ) def test_check_sigstore_version_exception(version) -> None: with pytest.raises( From e7e01fbeb2f9aba8f703cee73ffe662e3f697b71 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Fri, 14 Nov 2025 16:29:40 +0200 Subject: [PATCH 3/3] Remove this Sigstore version check in favour of existing fail-fast pre-check --- add_to_pydotorg.py | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/add_to_pydotorg.py b/add_to_pydotorg.py index 6b1d7f2d..afce207e 100755 --- a/add_to_pydotorg.py +++ b/add_to_pydotorg.py @@ -364,32 +364,6 @@ def has_sigstore_signature(filename: str) -> bool: os.path.exists(filename + ".sig") and os.path.exists(filename + ".crt") ) - # Ensure that Sigstore CLI installed on the download server is - # at least v3.0.0 or later to ensure valid Sigstore bundles are generated. - try: - sigstore_version_stdout = subprocess.check_output( - ["python3", "-m", "sigstore", "--version"] - ) - sigstore_version_match = re.search( - r"([0-9][0-9.]*[0-9])", sigstore_version_stdout.decode() - ) - if not sigstore_version_match: - error( - f"Couldn't determine version of Sigstore CLI: " - f"{sigstore_version_stdout.decode()}" - ) - sigstore_version = sigstore_version_match.group(1) - sigstore_major_version = int(sigstore_version.partition(".")[0]) - if sigstore_major_version < 3: - error( - f"Sigstore v3 or later must be installed " - f"(currently {sigstore_version}), " - f"run: python -m pip install -r requirements.txt" - ) - except subprocess.CalledProcessError: - error("Couldn't determine version of Sigstore CLI") - print(f"Sigstore CLI installed is version v{sigstore_version}") - # Skip files that already have a signature (likely source distributions) unsigned_files = [ filename for filename in filenames if not has_sigstore_signature(filename)