SigstoreCon North America 2022

Sigstore is coming to the Python packaging ecosystem! For the past 9 months, engineers at Trail of Bits have worked with members and stakeholders within the Sigstore community to develop sigstore-python, a high-quality Python API and CLI for performing Sigstore-style signatures and verifications. Now comes the hard part: convincing members of Python's packaging ecosystem, among the largest and most critical, to adopt Sigstore into their package publishing and consumption workflows. This talk will perform a survey of Python packaging, and consider some of the ways in which Sigstore fits into the packaging user experience. Particular consideration will be given to two groups of packaging ecosystem users: "ordinary" users, who should benefit from baseline authenticity and integrity without having to substantially alter their workflows, and "proactive" users, who should be able to opt into *additional* security guarantees (such as verification against TUF-attested claims) both when packaging and consuming others' packages.