Description
Supply chain attacks are the most efficient attack vector for malicious actors. We need a rule that outlines the issue, aka lack of software verification, and showcase how to at least verify already signed software.
CWE-494: Download of Code Without Integrity Check
Own signatures might require another rule to avoid overloading this one.
Python modules are frequently hosted on mirrors with unknown trust.
Python.org provides a solution via Sigstore since Python 3.10.7
Sigstore information
it is not very well know amongst coders.
Python allows to sign wheel files distribution format — Python Packaging User Guide
some text:
Allowing only signed code can prevent injection of malicious or untested code running on production servers. Integrity and authenticity must be verified prior to using code. Authorization must not be assumed but can be based on verifiable individual identities or attributes of signed software.