Check the existence and version of Sigstore CLI

[sethmlarson]

Closes #179, long-term solution is to do all the signing on the RM machine. This will do for now to catch fixable mistakes.

[hugovk]

Looks good, thanks.

Testing, first I uninstalled sigstore CLI from the server:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
💥  Checking Sigstore CLI
Traceback (most recent call last):
  File "/Users/hugo/github/release-tools/run_release.py", line 1333, in <module>
    main()
  File "/Users/hugo/github/release-tools/run_release.py", line 1329, in main
    automata.run()
  File "/Users/hugo/github/release-tools/run_release.py", line 245, in run
    raise e from None
  File "/Users/hugo/github/release-tools/run_release.py", line 242, in run
    self.current_task(self.db)
  File "/Users/hugo/github/release-tools/release.py", line 126, in __call__
    return getattr(self, "function")(db)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/hugo/github/release-tools/run_release.py", line 327, in check_sigstore_client
    raise ReleaseException(
ReleaseException: Sigstore version not detected or not valid. Expecting 3.x:

Then installed sigstore<3 (2.1.5) on the server:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
💥  Checking Sigstore CLI
Traceback (most recent call last):
  File "/Users/hugo/github/release-tools/run_release.py", line 1333, in <module>
    main()
  File "/Users/hugo/github/release-tools/run_release.py", line 1329, in main
    automata.run()
  File "/Users/hugo/github/release-tools/run_release.py", line 245, in run
    raise e from None
  File "/Users/hugo/github/release-tools/run_release.py", line 242, in run
    self.current_task(self.db)
  File "/Users/hugo/github/release-tools/release.py", line 126, in __call__
    return getattr(self, "function")(db)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/hugo/github/release-tools/run_release.py", line 327, in check_sigstore_client
    raise ReleaseException(
ReleaseException: Sigstore version not detected or not valid. Expecting 3.x: sigstore 2.1.5

Then installed sigstore==3.4.0 on the server:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
✅  Checking Sigstore CLI

Re: #177 (comment): now #193 has been merged (to send Sigstore CLI verification to stdout, not stderr), is sigstore 3.x enough? And we don't need 3.5+?

[sethmlarson]

And we don't need 3.5+?

You're right, we should make sure it's up-to-date to avoid last-second issues. Let me make the version check handle that.

[hugovk]

Thanks!

Testing again, not installed:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
💥  Checking Sigstore CLI
Traceback (most recent call last):
  File "/Users/hugo/github/release-tools/run_release.py", line 1336, in <module>
    main()
  File "/Users/hugo/github/release-tools/run_release.py", line 1332, in main
    automata.run()
  File "/Users/hugo/github/release-tools/run_release.py", line 245, in run
    raise e from None
  File "/Users/hugo/github/release-tools/run_release.py", line 242, in run
    self.current_task(self.db)
  File "/Users/hugo/github/release-tools/release.py", line 126, in __call__
    return getattr(self, "function")(db)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/hugo/github/release-tools/run_release.py", line 330, in check_sigstore_client
    raise ReleaseException(
ReleaseException: Sigstore version not detected or not valid. Expecting 3.5.x or later:

sigstore-2.1.5:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
💥  Checking Sigstore CLI
Traceback (most recent call last):
  File "/Users/hugo/github/release-tools/run_release.py", line 1336, in <module>
    main()
  File "/Users/hugo/github/release-tools/run_release.py", line 1332, in main
    automata.run()
  File "/Users/hugo/github/release-tools/run_release.py", line 245, in run
    raise e from None
  File "/Users/hugo/github/release-tools/run_release.py", line 242, in run
    self.current_task(self.db)
  File "/Users/hugo/github/release-tools/release.py", line 126, in __call__
    return getattr(self, "function")(db)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/hugo/github/release-tools/run_release.py", line 330, in check_sigstore_client
    raise ReleaseException(
ReleaseException: Sigstore version not detected or not valid. Expecting 3.5.x or later: sigstore 2.1.5

sigstore-3.4.0:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
💥  Checking Sigstore CLI
Traceback (most recent call last):
  File "/Users/hugo/github/release-tools/run_release.py", line 1336, in <module>
    main()
  File "/Users/hugo/github/release-tools/run_release.py", line 1332, in main
    automata.run()
  File "/Users/hugo/github/release-tools/run_release.py", line 245, in run
    raise e from None
  File "/Users/hugo/github/release-tools/run_release.py", line 242, in run
    self.current_task(self.db)
  File "/Users/hugo/github/release-tools/release.py", line 126, in __call__
    return getattr(self, "function")(db)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/hugo/github/release-tools/run_release.py", line 330, in check_sigstore_client
    raise ReleaseException(
ReleaseException: Sigstore version not detected or not valid. Expecting 3.5.x or later: sigstore 3.4.0

sigstore-3.5.1:

✅  Checking autoconf is available
✅  Validating ssh connection to downloads.nyc1.psf.io and docs.nyc1.psf.io
✅  Checking Sigstore CLI