Make artifact verification instructions more visible

[sethmlarson]

Today our download pages allude to being able to verify artifacts, either through Sigstore (recommended) or GPG, however these instructions aren't as clearly documented as they could be and in theory we want everyone downloading from python.org to be taking advantage of one of these two options.

My proposal is to:

• Add an anchor to the download details page for GPG identities so it can be linked to directly.
• For all download detail pages:
  • Provide a link to the instructions for verifying with GPG
  • If there are Sigstore artifacts, also provide links to instructions for verifying Sigstore.
  • Recommend users using Sigstore over GPG when it's available.

[JacobCoffee]

all download detail pages

This would be a heavy lift if I understand correctly as each release page is non-codified markdown in the /admin backend :(

[sethmlarson]

@JacobCoffee We might be able to slot in the information programmatically in this template? https://github.com/python/pythondotorg/blob/main/templates/downloads/release_detail.html#L42

[edmorley]

This appears to be resolved now?

eg if I visit https://www.python.org/downloads/release/python-3137/ and scroll down to the Files table, the headings for the "Sigstore" and "GPG" columns link to the relevant docs:

• https://www.python.org/download/sigstore/
• https://www.python.org/downloads/#gpg

[hugovk]

Yes, header links were added in #2247 and #2772.

• Recommend users using Sigstore over GPG when it's available.

We can do something extra for this, and move the GPG column after Sigstore and SBOM. Currently:

Please see PR #2783.