Sigstore documentation doesn't have example for `.sigstore` bundles

[sethmlarson]

Describe the bug

Follow-up from #2247, the examples on the Sigstore information page (https://python.org/download/sigstore) only references being able to verify .crt and .sig files, where now new releases have a singular Sigstore bundle file .sigstore that should be verified with --bundle <FILE>.

Since there are releases out there with both flavors of verification material, we'll need to give the user instructions on which method to use based on which materials are available.

I was going to make the contribution to fix this myself, but I was unable to grep the Sigstore Information page header anywhere in this project or under the python org in GitHub. Maybe my search skills or GitHub is failing here somehow, but where is the source code for the page in question?

[woodruffw]

Thanks for pinging me downstream! Adding an example of verifying using --bundle seems exactly appropriate to me.

Maybe my search skills or GitHub is failing here somehow, but where is the source code for the page in question?

I think I ran into the same thing -- I believe it's in a CMS somewhere, and @di has modified it in the past.

[di]

It is indeed in the python.org CMS, which I have edit access to.

[ned-deily]

There probably should also be refereences to sigstore on the Python Downloads page. I've opened a new issue about that.

[sethmlarson]

As a part of this work I'd like to backfill the existing crt/sig files with bundles for easier verification instructions. @woodruffw and I created this issue to track this functionality in sigstore-python: sigstore/sigstore-python#718

[sethmlarson]

Created a task for back-filling Python releases from existing verification materials: #2300

[sethmlarson]

Once bundles have been backfilled and the documentation updated we can remove the crt/sig generation from python/release-tools to match the default generation behavior from sigstore-python v2.

[sethmlarson]

Releases have been backfilled with bundles so I've updated the documentation to only reference verifying Sigstore bundles. We can now close this issue.