python · hugovk · Nov 14, 2025 · Oct 15, 2025 · Oct 15, 2025 · Nov 14, 2025
diff --git a/add_to_pydotorg.py b/add_to_pydotorg.py
@@ -364,32 +364,6 @@ def has_sigstore_signature(filename: str) -> bool:
             os.path.exists(filename + ".sig") and os.path.exists(filename + ".crt")
         )
 
-    # Ensure that Sigstore CLI installed on the download server is
-    # at least v3.0.0 or later to ensure valid Sigstore bundles are generated.
-    try:
-        sigstore_version_stdout = subprocess.check_output(
-            ["python3", "-m", "sigstore", "--version"]
-        )
-        sigstore_version_match = re.search(
-            r"([0-9][0-9.]*[0-9])", sigstore_version_stdout.decode()
-        )
-        if not sigstore_version_match:
-            error(
-                f"Couldn't determine version of Sigstore CLI: "
-                f"{sigstore_version_stdout.decode()}"
-            )
-        sigstore_version = sigstore_version_match.group(1)
-        sigstore_major_version = int(sigstore_version.partition(".")[0])
-        if sigstore_major_version < 3:
-            error(
-                f"Sigstore v3 or later must be installed "
-                f"(currently {sigstore_version}), "
-                f"run: python -m pip install -r requirements.txt"
-            )
-    except subprocess.CalledProcessError:
-        error("Couldn't determine version of Sigstore CLI")
-    print(f"Sigstore CLI installed is version v{sigstore_version}")
-
     # Skip files that already have a signature (likely source distributions)
     unsigned_files = [
         filename for filename in filenames if not has_sigstore_signature(filename)

diff --git a/run_release.py b/run_release.py
@@ -363,14 +363,21 @@ def check_sigstore_client(db: ReleaseShelf) -> None:
     )
     _, stdout, _ = client.exec_command("python3 -m sigstore --version")
     sigstore_version = stdout.read(1000).decode()
-    sigstore_vermatch = re.match("^sigstore ([0-9.]+)", sigstore_version)
-    if not sigstore_vermatch or tuple(
-        int(part) for part in sigstore_vermatch.group(1).split(".")
-    ) < (3, 5):
-        raise ReleaseException(
-            f"Sigstore version not detected or not valid. "
-            f"Expecting 3.5.x or later: {sigstore_version}"
-        )
+    check_sigstore_version(sigstore_version)
+
+
+def check_sigstore_version(version: str) -> None:
+    version_match = re.match("^sigstore ([0-9.]+)", version)
+    if version_match:
+        version_tuple = tuple(int(part) for part in version_match.group(1).split("."))
+        if (3, 6, 2) <= version_tuple < (4, 0):
+            # good version
+            return
+
+    raise ReleaseException(
+        f"Sigstore version not detected or not valid. "
+        f"Expecting >= 3.6.2 and < 4.0.0, got: {version}"
+    )
 
 
 def check_buildbots(db: ReleaseShelf) -> None:

diff --git a/tests/test_run_release.py b/tests/test_run_release.py
@@ -11,6 +11,27 @@
 from release import ReleaseShelf, Tag
 
 
+@pytest.mark.parametrize(
+    "version",
+    ["sigstore 3.6.2", "sigstore 3.6.6"],
+)
+def test_check_sigstore_version_success(version) -> None:
+    # Verify runs with no exceptions
+    run_release.check_sigstore_version(version)
+
+
+@pytest.mark.parametrize(
+    "version",
+    ["sigstore 3.4.0", "sigstore 3.6.0", "sigstore 4.0.0", ""],
+)
+def test_check_sigstore_version_exception(version) -> None:
+    with pytest.raises(
+        run_release.ReleaseException,
+        match="Sigstore version not detected or not valid",
+    ):
+        run_release.check_sigstore_version(version)
+
+
 @pytest.mark.parametrize(
     ["url", "expected"],
     [