python-package-template icon indicating copy to clipboard operation
python-package-template copied to clipboard
verified publisher icon jenstroeger

Signing things

Open jenstroeger opened this issue 3 years ago • 2 comments

Git allows for signing commits and tags, see also the Signing Your Work chapter. Furthermore, twine upload allows for signing packages when uploading them to a PyPI server.

Related to PR https://github.com/jenstroeger/python-package-template/pull/306 and issue https://github.com/commitizen-tools/commitizen/issues/575, I wanted to keep the discussion going on signing and verifying signatures in an automated workflow. Signing commits and tags not only generated by a local user (who needs to sign commits locally) but also generated by the release.yaml Action

https://github.com/jenstroeger/python-package-template/blob/f41b0e6a46061081370253b9ac17a1b62b5c85dc/.github/workflows/release.yaml#L55-L60

and

https://github.com/jenstroeger/python-package-template/blob/f41b0e6a46061081370253b9ac17a1b62b5c85dc/.github/workflows/release.yaml#L140-L145

Read the linked issue for more information, and take a look at the How to use GPG key in github actions? Also related is issue https://github.com/actions/runner/issues/667.

jenstroeger avatar Sep 23 '22 01:09 jenstroeger

See also secure-python-package-template.

jenstroeger avatar Mar 20 '23 08:03 jenstroeger

There’s also discussion on signing packages, although PyPI doesn’t seem to have great support for that. See also

jenstroeger avatar May 11 '23 23:05 jenstroeger