Skip to content

upload: warn the user if their signature(s) are ignored#1010

Merged
sigmavirus24 merged 3 commits intopypa:mainfrom
woodruffw-forks:ww/warn-on-pgp
Aug 31, 2023
Merged

upload: warn the user if their signature(s) are ignored#1010
sigmavirus24 merged 3 commits intopypa:mainfrom
woodruffw-forks:ww/warn-on-pgp

Conversation

@woodruffw
Copy link
Copy Markdown
Member

@woodruffw woodruffw commented Aug 27, 2023

This is an initial step towards #1009: if twine upload sees that any to-be-uploaded dist has an associated PGP signature and that the index URL looks like pypi.org (i.e. PyPI or TestPyPI), it emits a warning notifying the user that their PGP signature will be silently ignored.

See #1009.

@woodruffw
upload: warn the user if their signature(s) are ignored
5681da5 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
twine, tests: "armored" -> PGP
1e79d7c 
Still jargon, but hopefully more common jargon.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw marked this pull request as ready for review August 27, 2023 20:03
github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 27, 2023
View reviewed changes
Comment thread twine/commands/upload.py Fixed
woodruffw
woodruffw commented Aug 27, 2023
View reviewed changes
Comment thread twine/commands/upload.py
Comment on lines +127 to +138
# Warn the user if they're trying to upload a PGP signature to PyPI
# or TestPyPI, which will (as of May 2023) ignore it.
# This check is currently limited to just those indices, since other
# indices may still support PGP signatures.
if (
any(p.gpg_signature for p in packages_to_upload)
and "pypi.org" in repository_url
):
logger.warning(
"One or more packages has an associated PGP signature; "
"these will be silently ignored by the index"
)
Copy link
Copy Markdown
Member Author

@woodruffw woodruffw Aug 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NB: I put this in its own little region rather than embedding it in the distribution loop below, under the reasoning that (1) it probably only makes sense to warn once here, and (2) this might get removed eventually anyways, so a less complex diff is better.

Happy to move if you'd prefer it in the loop, though!

@sigmavirus24
Copy link
Copy Markdown
Member

sigmavirus24 commented Aug 31, 2023

Thanks @woodruffw I think one warning (rather than one per artifact) is best for now. I think a second warning for non-PyPI URLs could be useful to indicate we're considering removing support altogether and not just for PyPI uploads (with a link to the issue you opened or some other venue).

@sigmavirus24 sigmavirus24 merged commit 4951945 into pypa:main Aug 31, 2023
@woodruffw
Copy link
Copy Markdown
Member Author

woodruffw commented Aug 31, 2023

Thanks!

I think a second warning for non-PyPI URLs could be useful to indicate we're considering removing support altogether and not just for PyPI uploads (with a link to the issue you opened or some other venue).

Sounds good to me -- I can open a PR for that tomorrow.

@woodruffw woodruffw deleted the ww/warn-on-pgp branch August 31, 2023 04:18
@woodruffw woodruffw mentioned this pull request Nov 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sigmavirus24 sigmavirus24 sigmavirus24 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @sigmavirus24 @github-advanced-security