Send Sigstore CLI verification to stdout, not stderr (#193)

sethmlarson · web-flow · commit f01eceba0811 · 2024-11-20T15:17:21.000+02:00
diff --git a/add_to_pydotorg.py b/add_to_pydotorg.py
@@ -422,13 +422,23 @@ def has_sigstore_signature(filename: str) -> bool:
         filename_sigstore = filename + ".sigstore"
 
         if os.path.exists(filename_sigstore):
-            run_cmd(sigstore_verify_argv + ["--bundle", filename_sigstore, filename])
+            run_cmd(
+                sigstore_verify_argv + ["--bundle", filename_sigstore, filename],
+                stderr=subprocess.STDOUT,  # Sigstore sends stderr on success.
+            )
 
         # We use an 'or' here to error out if one of the files is missing.
         if os.path.exists(filename_sig) or os.path.exists(filename_crt):
             run_cmd(
                 sigstore_verify_argv
-                + ["--certificate", filename_crt, "--signature", filename_sig, filename]
+                + [
+                    "--certificate",
+                    filename_crt,
+                    "--signature",
+                    filename_sig,
+                    filename,
+                ],
+                stderr=subprocess.STDOUT,  # Sigstore sends stderr on success.
             )
 
 
