twine icon indicating copy to clipboard operation
twine copied to clipboard
verified publisher icon pypa

Add a "--verify-signature" option to "twine upload"

Open moshez opened this issue 9 years ago • 4 comments

When "--verify-signature" is specified, twine would make sure every upload has a corresponding .asc, and that it contains a valid signature. If the .asc file is not specified for upload, or is specified but does not contain a valid signature, it would abort before starting the upload.

moshez avatar Oct 05 '16 02:10 moshez

Hey @moshez!

So how does this combine with the flag that generates signatures? For one thing, if you do

twine upload -s dist/*

Then you'll have valid signatures for each package. I wouldn't think you'd want to spend extra time verifying them. You'd only care about verification if you've generated the signatures yourself. Also if there are no existing .asc files, how would -s and --verify-signature work? Would we sign it for the user first and then verify it? Would we fail early because no signature exists? We need to flesh out the behaviour and workflow a bit more before I feel comfortable deciding whether we should add this or not.

It's also worth noting that signatures will not be supported by PyPI for very long. They're going to be replaced by a significantly better solution. (This doesn't mean that the answer is likely no because we already have --sign ;). It's just a mention of something relevant.)

sigmavirus24 avatar Oct 05 '16 14:10 sigmavirus24

Let's start from the end -- I totally get that signatures will be replaced by something better. But until I can use something better, they are all I have, and I want to upload them. I do realize it is not sane to do verification right now but I guess I like the warm fuzzy feeling that it is possible.

I think I would have --sign and --verify-signature just be non-compatible options: specifying both would be an argument-parsing-level "syntax error". You either sign it before hand and ask twine to check, or you have twine generate the signatures. I'm imagining something like

$ twine upload --sign --verify-signature dist/*
twine: Cannot specify both --sign and --verify-signature

I agree that specifying the correct semantics would be hard, and I suggest that in the face of ambigouity we refuse the temptation to guess 😄

moshez avatar Oct 05 '16 15:10 moshez

Free idea: Always verify the signatures when they exist and gpg is available. That removes the need to add a user facing element like --verify-signature that will be weird with --sign and possibly need to be removed.

dstufft avatar Oct 27 '16 15:10 dstufft

or just remove --verify-signature and force --sign to verify it for you.

AraHaan avatar Nov 12 '16 08:11 AraHaan