Show verification instructions for sigstore py module too

Refs #549

doc/changes.rst

@@ -15,9 +15,7 @@ APSW changes by version
 
 Source releases are also available in tar format (:issue:`548`)
 
-Source releases are :ref:`signed <verifydownload>` using the `new
-bundle format <https://docs.sigstore.dev/about/bundle/>`__
-(:issue:`549`)
+Updated source release signing and instructions. (:issue:`549`)
 
 `Shared cache
 <https://www.sqlite.org/compile.html#omit_shared_cache>`__ is omitted

doc/install.rst

@@ -108,32 +108,36 @@ Github `source releases <https://github.com/rogerbinns/apsw/releases>`__ are
 digitally signed so you can verify they have not been tampered with,
 and were produced by the project maintainer.
 
-`Sigstore <https://www.sigstore.dev/>`__ is used via the `cosign tool
-<https://docs.sigstore.dev/cosign/signing/>`__.  Download the
-corresponding cosign bundle which contains the signature.
+`Sigstore <https://www.sigstore.dev/>`__ is used.  Instructions are
+shown for the standalone  `cosign tool
+<https://github.com/sigstore/cosign/releases>`__ (easiest,
+recommended), and the `Python sigstore module
+<https://pypi.org/project/sigstore/>`__.
 
 Verify
 
-  `Install cosign
-  <https://docs.sigstore.dev/cosign/system_config/installation/>`__ if you
-  don't have it already.  It is `available for a wide variety of
-  platforms <https://github.com/sigstore/cosign/releases/>`__
-  including Linux, MacOS, and Windows.
-
   Checking the signature needs to provide the source release, the
   cosign bundle, the maintainer id, and issuer.  The command is all
-  one line shown here across multiple lines for clarity.
+  one line shown here across multiple lines for clarity, along with
+  the expected successful output.
 
   .. verify-begin
 
   .. code-block:: console
 
-    $ cosign verify-blob apsw-3.47.2.0.zip                           \
-        --bundle apsw-3.47.2.0.zip.cosign-bundle                     \
-        [email protected]                 \
+    $ cosign verify-blob apsw-3.47.2.0.zip                        \
+        --new-bundle-format                                       \
+        --bundle apsw-3.47.2.0.zip.cosign-bundle                  \
+        [email protected]              \
         --certificate-oidc-issuer=https://github.com/login/oauth
     Verified OK
 
+    $ python3 -m sigstore verify identity apsw-3.47.2.0.zip       \
+        --bundle apsw-3.47.2.0.zip.cosign-bundle                  \
+        [email protected]                     \
+        --cert-oidc-issuer=https://github.com/login/oauth
+    OK: apsw-3.47.2.0.zip
+
   .. verify-end
 
   Check for a success exit code, and verified message.

tools/docupdate.py

@@ -51,14 +51,22 @@
         op.append("")
 
         def back(s):
-            return s + " " * (65 - len(s)) + "\\"
+            return s + " " * (62 - len(s)) + "\\"
 
         op.append("    " + back(f"$ cosign verify-blob apsw-{version}.zip"))
+        op.append("    " + back("    --new-bundle-format"))
         op.append("    " + back(f"    --bundle apsw-{version}.zip.cosign-bundle"))
         op.append("    " + back("    [email protected]"))
         op.append("    " + "    --certificate-oidc-issuer=https://github.com/login/oauth")
         op.append("    " + "Verified OK")
         op.append("")
+        op.append("    " + back(f"$ python3 -m sigstore verify identity apsw-{version}.zip"))
+        op.append("    " + back(f"    --bundle apsw-{version}.zip.cosign-bundle"))
+        op.append("    " + back("    [email protected]"))
+        op.append("    " + "    --cert-oidc-issuer=https://github.com/login/oauth")
+        op.append("    " + f"OK: apsw-{version}.zip")
+
+        op.append("")
     if line == ".. downloads-end":
         indownload = False
     if line == "  .. verify-end":