> This seems like a different brand of the keyserver network?
It serves a vaguely similar purpose, if that's what you mean. That shouldn't be surprising, since this is all PKI-shaped problems under the hood.
To reiterate: the operational constraints here are (1) simplicity and reliability for PyPI, plus secure defaults for the signing scheme itself. Running a PGP keyserver would not offer (1), and PGP as an ecosystem does not offer (2). This is even before desired properties, like strong identity binding, which PGP cannot offer in its current form.
> "online operations" would be interactions with some other service or a non-PSF service? Or simply a service not-wholly-pypi?
In the PGP setting, that means PyPI would need to pull from a keyserver. That keyserver would need to be one that PyPI doesn't control in order for the threat model to be coherent.
In the PEP 740 setting, PyPI does not need to pull any material from anywhere besides what the uploader is providing: the signatures in the attestations uploaded are signed with an attacked ephemeral signing certificate, which has a trusted publisher as its identity. That signing certificate can then be chained to an already established root of trust, in "normal" X.509 PKI fashion.
You could approximate this design with PGP, but none of the primitives currently exist (or if they exist, are inoperational).
> But the sigstore analog is the JSON array of in-toto attestation statement objects.
Yes. Believe it or not, a big ugly JSON blob is simpler than dealing with PGP's mess of packet versions and formats.
> If the strong identity binding is OIDC then I disagree. It's convenient but no more evidence of identity than being able to unlock a private key.
Modulo the security of the OIDC provider, it's a very strong proof of identity. The world already assumes this in practice (via pervasive OAuth and OIDC in other contexts); all PEP 740 does is make the same assumption rather than trying to bolt strong identity onto PGP.
(I think there are good objections to OIDC, including the risk of centralization. But I've yet to see a better widely adopted system for publicly verifying identity claims.)
> This doesn't make sense unless the author key material was only ever published on the PyPI keyserver.
Is there any evidence that anybody is reconciling results from different PGP keyservers? I don't think anybody was doing this even at the peak of the SKS network.
(But even this assumes more sophistication than the average user is putting into verification: 99% of Python distribution installations aren't doing even hash-checking. Expecting that users will begin to do keyring curation isn't reasonable, and - critically - is not empirically supported by the last 2 decades of PGP support on PyPI.)
> What about checking for revocation?
PEP 740 assumes short-lived (~10 minute) signing certificates with ephemeral signing keys. Subscriber-level revocation hasn't scaled well for the Web PKI, so the underlying stack here (Sigstore) prefers limiting the scope of signing materials and enforcing transparency instead.
My point is that it is not stronger than the corresponding ability to unlock a private PGP key. OAuth/OIDC is convenient and has more friendly tooling, I concede this easily. But to make a claim that it's a strong proof of identity would require the account provider behind the OAuth to follow some sort of "know your customer"-like verification to claim more than "the request came from a system which has access to the account."
> I don't think anybody was doing this even at the peak of the SKS network.
Maybe not? Most of my interaction with PGP was as an attestation of content, I really produced this text. That was relevant in sub-networks of contacts which had mutual trust via signatures, or fingerprints shared through another medium.
But that doesn't change my perspective on the threat model. If there is an "evil PyPI" and end users need to have trust of the author, it seems to me the same trust relationship graph needs to be constructed. And that sigstore provides some means to do that means it's less work, and that's great and compelling. But it doesn't actually change the number of points to inspect to conclude "trusted," which seems to fail a simple test of either being more or less difficult to consider as the same number of trust checks need to occur.
> But even this assumes more sophistication than the average user is putting into verification
Is there some user story for how an end user might "build warm fuzzies" about trusting packages in the post-PEP 740 world? If pip (or some tool) ends up with functionality to effect the verification, the "expecting users to manage keyrings" argument seems to go away, as that tool would also be the logical place to drop that functionality. Or is it that `cosign --verify` is expected to be a lighter lift to document than `gpg --verify`?
I see how the ephemeral keys mean revocation of the signing keys is less of a concern. And even how transparency provides an avenue to discover misuse, so long as it is monitored. It seems like PyPI doing some consistency monitoring on behalf of authors would be required to make a claim of trustworthiness, which strikes me as an expanded operational concern.
It serves a vaguely similar purpose, if that's what you mean. That shouldn't be surprising, since this is all PKI-shaped problems under the hood.
To reiterate: the operational constraints here are (1) simplicity and reliability for PyPI, plus secure defaults for the signing scheme itself. Running a PGP keyserver would not offer (1), and PGP as an ecosystem does not offer (2). This is even before desired properties, like strong identity binding, which PGP cannot offer in its current form.
> "online operations" would be interactions with some other service or a non-PSF service? Or simply a service not-wholly-pypi?
In the PGP setting, that means PyPI would need to pull from a keyserver. That keyserver would need to be one that PyPI doesn't control in order for the threat model to be coherent.
In the PEP 740 setting, PyPI does not need to pull any material from anywhere besides what the uploader is providing: the signatures in the attestations uploaded are signed with an attacked ephemeral signing certificate, which has a trusted publisher as its identity. That signing certificate can then be chained to an already established root of trust, in "normal" X.509 PKI fashion.
You could approximate this design with PGP, but none of the primitives currently exist (or if they exist, are inoperational).
> But the sigstore analog is the JSON array of in-toto attestation statement objects.
Yes. Believe it or not, a big ugly JSON blob is simpler than dealing with PGP's mess of packet versions and formats.