`python-3.13.10-amd64.exe` sigstore and spdx files have wrong sha256

[tianon]

Bug report

Bug description:

$ wget -qO- 'https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe.sigstore' | jq --raw-output '.messageSignature.messageDigest.digest' | base64 -d | hexdump -ve '/1 "%02x"'; echo
e6e6dbaec482b22bf2651b80ee46bd450fd623a842c0f630a670d1948bbb0dad

$ wget -qO- 'https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe.spdx.json' | jq --raw-output 'first(.packages[] | select(.downloadLocation == "https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe") | .checksums[] | select(.algorithm == "SHA256") | .checksumValue)'
e6e6dbaec482b22bf2651b80ee46bd450fd623a842c0f630a670d1948bbb0dad

$ wget -qO- 'https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe' | sha256sum
ab30cd76655c6c91243b4f4d5a8499020f6503aa58e92b3e2e94ae4af7353257  -

(the MD5 on https://www.python.org/downloads/release/python-31310/ matches the actual file, however)

CPython versions tested on:

3.13

Operating systems tested on:

No response

[StanFromIreland]

Can you please recheck, I believe we fixed this, see: https://discuss.python.org/t/python-3-13-10-is-available-too-you-know/105165/2.

CC @zooba

[tianon]

Maybe CDN cache? It seems SPDX is fixed now, but sigstore are still affected.

Fresh tests, but with Pragma: no-cache headers for good measure:

$ wget --header 'Pragma: no-cache' -qO- 'https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe' | sha256sum
ab30cd76655c6c91243b4f4d5a8499020f6503aa58e92b3e2e94ae4af7353257  -

$ wget --header 'Pragma: no-cache' -qO- 'https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe.sigstore' | jq --raw-output '.messageSignature.messageDigest.digest' | base64 -d | hexdump -ve '/1 "%02x"'; echo
e6e6dbaec482b22bf2651b80ee46bd450fd623a842c0f630a670d1948bbb0dad

$ wget --header 'Pragma: no-cache' -qO- 'https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe.spdx.json' | jq --raw-output 'first(.packages[] | select(.downloadLocation == "https://www.python.org/ftp/python/3.13.10/python-3.13.10-amd64.exe") | .checksums[] | select(.algorithm == "SHA256") | .checksumValue)'
ab30cd76655c6c91243b4f4d5a8499020f6503aa58e92b3e2e94ae4af7353257

[zooba]

Yeah, the files got built and published twice, so the hashes had to be updated on the download page. The sigstore files should match, though? I'm not 100% clear on how that's all set up, but the RMs are looking into it.

[Yhg1s]

The new Windows files have all been re-signed by sigstore, and the CDN was flushed of all the changed files.

[tianon]

Thank you! ❤️