upload: warn the user if their signature(s) are ignored #1010
Conversation
Signed-off-by: William Woodruff <[email protected]>
Still jargon, but hopefully more common jargon. Signed-off-by: William Woodruff <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
twine/commands/upload.py
Outdated
| # Warn the user if they're trying to upload a PGP signature to PyPI | ||
| # or TestPyPI, which will (as of May 2023) ignore it. | ||
| # This check is currently limited to just those indices, since other | ||
| # indices may still support PGP signatures. | ||
| if ( | ||
| any(p.gpg_signature for p in packages_to_upload) | ||
| and "pypi.org" in repository_url | ||
| ): | ||
| logger.warning( | ||
| "One or more packages has an associated PGP signature; " | ||
| "these will be silently ignored by the index" | ||
| ) |
There was a problem hiding this comment.
NB: I put this in its own little region rather than embedding it in the distribution loop below, under the reasoning that (1) it probably only makes sense to warn once here, and (2) this might get removed eventually anyways, so a less complex diff is better.
Happy to move if you'd prefer it in the loop, though!
Signed-off-by: William Woodruff <[email protected]>
|
Thanks @woodruffw I think one warning (rather than one per artifact) is best for now. I think a second warning for non-PyPI URLs could be useful to indicate we're considering removing support altogether and not just for PyPI uploads (with a link to the issue you opened or some other venue). |
|
Thanks!
Sounds good to me -- I can open a PR for that tomorrow. |
This is an initial step towards #1009: if
twine uploadsees that any to-be-uploaded dist has an associated PGP signature and that the index URL looks likepypi.org(i.e. PyPI or TestPyPI), it emits a warning notifying the user that their PGP signature will be silently ignored.See #1009.