Skip to content

Commit cad8a65

Browse files
authored
Merge pull request #1028 from woodruffw-forks/ww/warn-on-pgp-redux
upload: warn about potential PGP deprecation
2 parents e6f45da + d50f6a1 commit cad8a65

File tree

2 files changed

+55
-11
lines changed

2 files changed

+55
-11
lines changed

tests/test_upload.py

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,42 @@ def test_success_with_pre_signed_distribution(upload_settings, stub_repository,
184184
)
185185

186186

187+
def test_warns_potential_pgp_removal_on_3p_index(
188+
make_settings, stub_repository, caplog
189+
):
190+
"""Warn when a PGP signature is specified for upload to a third-party index."""
191+
upload_settings = make_settings(
192+
"""
193+
[pypi]
194+
repository: https://example.com/not-a-real-index/
195+
username:foo
196+
password:bar
197+
"""
198+
)
199+
upload_settings.create_repository = lambda: stub_repository
200+
201+
# Upload a pre-signed distribution
202+
result = upload.upload(
203+
upload_settings, [helpers.WHEEL_FIXTURE, helpers.WHEEL_FIXTURE + ".asc"]
204+
)
205+
assert result is None
206+
207+
# The signature should be added via package.add_gpg_signature()
208+
package = stub_repository.upload.calls[0].args[0]
209+
assert package.gpg_signature == (
210+
"twine-1.5.0-py2.py3-none-any.whl.asc",
211+
b"signature",
212+
)
213+
214+
# Ensure that a warning is emitted.
215+
assert (
216+
"One or more packages has an associated PGP signature; a future "
217+
"version of twine may silently ignore these. See "
218+
"https://github.com/pypa/twine/issues/1009 for more information"
219+
in caplog.messages
220+
)
221+
222+
187223
def test_exception_with_only_pre_signed_file(upload_settings, stub_repository):
188224
"""Raise an exception when only a signed file is uploaded."""
189225
# Upload only pre-signed file

twine/commands/upload.py

Lines changed: 19 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -124,17 +124,25 @@ def upload(upload_settings: settings.Settings, dists: List[str]) -> None:
124124
_make_package(filename, signatures, upload_settings) for filename in uploads
125125
]
126126

127-
# Warn the user if they're trying to upload a PGP signature to PyPI
128-
# or TestPyPI, which will (as of May 2023) ignore it.
129-
# This check is currently limited to just those indices, since other
130-
# indices may still support PGP signatures.
131-
if any(p.gpg_signature for p in packages_to_upload) and repository_url.startswith(
132-
(utils.DEFAULT_REPOSITORY, utils.TEST_REPOSITORY)
133-
):
134-
logger.warning(
135-
"One or more packages has an associated PGP signature; "
136-
"these will be silently ignored by the index"
137-
)
127+
if any(p.gpg_signature for p in packages_to_upload):
128+
if repository_url.startswith((utils.DEFAULT_REPOSITORY, utils.TEST_REPOSITORY)):
129+
# Warn the user if they're trying to upload a PGP signature to PyPI
130+
# or TestPyPI, which will (as of May 2023) ignore it.
131+
# This warning is currently limited to just those indices, since other
132+
# indices may still support PGP signatures.
133+
logger.warning(
134+
"One or more packages has an associated PGP signature; "
135+
"these will be silently ignored by the index"
136+
)
137+
else:
138+
# On other indices, warn the user that twine is considering
139+
# removing PGP support outright.
140+
logger.warning(
141+
"One or more packages has an associated PGP signature; "
142+
"a future version of twine may silently ignore these. "
143+
"See https://github.com/pypa/twine/issues/1009 for more "
144+
"information"
145+
)
138146

139147
repository = upload_settings.create_repository()
140148
uploaded_packages = []

0 commit comments

Comments
 (0)