Document PGP release signature usage

[maltfield]

Expected behaviour

When I go to download the latest version of python for Windows, I should also see instructions on how to verify the authenticity of the file after download and before install. Or, at least, a link to the document that describes this.

Actual behaviour

I see no mention about cryptographic authenticity verification on the download page

• https://www.python.org/downloads/release/python-3122/

Steps to reproduce

1. Go to https://www.python.org/downloads/release/python-3122/
2. ???
3. Get confused and open ticket

Additional Context

The download page links to the GPG signature, but this is useless without the key. Any page that references GPG signatures should at least link to a page that tells the user how they can get the authentic fingerprint/public key of the official release signing key.

I would recommend adding this link to the More Resources section and/or making the GPG heading of the table itself a link, as is the case with its adjacent Sigstore heading in the table.

[hugovk]

The main downloads https://www.python.org/downloads/ has a section on "OpenPGP Public Keys".

I would recommend adding this link to the More Resources section and/or making the GPG heading of the table itself a link, as is the case with its adjacent Sigstore heading in the table.

Agreed, let's add a link from "GPG" in the heading to https://www.python.org/downloads/. It would be good to add an anchor so we can link directly to something like https://www.python.org/downloads/#gpg

The code for this is in https://github.com/python/pythondotorg (please can someone transfer this issue?). For reference:

• python/pythondotorg#2359 and python/pythondotorg#2363 added the SBOM column.
• python/pythondotorg#2113 and python/pythondotorg#2247 added Sigstore column.

cc @sethmlarson