-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Versions > 75.1.0 do not have a signed tag, preventing upgrade #4743
Comments
Hi @dvzrv, I am not sure this is a bug. It probably looks like an invalid assumption from the Arch tools.
https://github.com/pypa/setuptools/blob/v75.3.0/.github/workflows/main.yml#L249-L269 I recommend not relying on any assumption that is not documented in https://setuptools.pypa.io/en/latest/development/releases.html. |
Thanks for reporting the issue. As Anderson says, it's not a guarantee that tags are signed. Perhaps it could be, but right now it's a best-effort, as-available behavior. I'm also unsure I want to commit to having signed commits for tagged releases. It would be nice, but unfortunately, GPG signing of commits is brittle. I've found it difficult to get configured reliably on my Windows machine, and I've found the documentation and support for doing it to be so poor and daunting that I'm reluctant to ask anyone else to do it. @abravalheri Are you interested in getting started with signing commits (including tagged commits)? If so, I'd be happy to provide some tips about getting started. What OS do you use typically? |
If there were multiple certificates used to sign Setuptools releases, would that satisfy Arch, or does it require there to be a single certificate (that would be shared by multiple release managers)? |
Thanks for the replies and clarifications! For posterity: It appears as if the OpenPGP validation has been added during the Python 3.12 rebuild without clarifying with you whether this project would uphold a trust path (between release managers) going forward, or would even agree to always sign tags. Disclaimer: We believe it is valuable to sign tags so that downstreams can validate them.
Yes, that document or you should have been consulted first.
I understand and whether or not you want to do this is up to you.
I found the above dedicated tools to be much easier to understand and use than GnuPG. Alter-alternatively, some people are also using SSH signing for their projects now (FWIW, we currently don't support the validation of this in an integrated way for our package maintainers yet, which is not to say it can not or should not be used!).
No, having several is fine :) Closing, I think we can for now remove the OpenPGP validation on our side until you have come to a conclusion for yourselves etc. Thanks again for the prompt replies and clarifications! 🙏 |
Umm... that sound like a bit of overhead 😅. I can try to give it a try as a best effort kind of thing. @dvzrv, is there any alternative that relies on doing some process at the CI stage instead of having to run locally at the dev's computer? |
None that I know of, that is meaningfully safe and actually useful in the context of allowing downstreams to authenticate individuals (e.g. you). Generally, I'd always advice against doing tags in CI, as that way releases are created without any form of project owner oversight and are entirely dependent on the safety of the CI system (which is a substantial vendor lock-in as well). |
setuptools version
75.1.1
Python version
3.12
OS
Arch Linux
Additional environment information
No response
Description
For upstream source validation in systems packaging on Arch Linux we rely on pinned OpenPGP certificates.
For this project we have pinned the OpenPGP certificate with the fingerprint
CE380CF3044959B8F377DA03708E6CB181B4C47E
, held by @jaraco.We tried upgrading to setuptools > 75.1.0 and validate the tags using the above OpenPGP certificate but noticed that tags newer than 75.1.0 are no longer signed.
The tags 75.1.1, 75.2.0 and 75.3.0 can not be validated and we are not able to use them.
cc @polyzen @felixonmars
Expected behavior
Tags are signed by the OpenPGP key with the fingerprint
CE380CF3044959B8F377DA03708E6CB181B4C47E
.How to Reproduce
Output
The text was updated successfully, but these errors were encountered: