upload: warn the user if their signature(s) are ignored (#1010)

* upload: warn the user if their signature(s) are ignored Signed-off-by: William Woodruff <william@yossarian.net> * twine, tests: "armored" -> PGP Still jargon, but hopefully more common jargon. Signed-off-by: William Woodruff <william@yossarian.net> * upload: be more principled in URL check Signed-off-by: William Woodruff <william@yossarian.net> --------- Signed-off-by: William Woodruff <william@yossarian.net>
pypa · Aug 31, 2023 · 4951945 · 4951945
1 parent 0bb428c
commit 4951945
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/tests/test_upload.py b/tests/test_upload.py
@@ -162,7 +162,7 @@ def test_print_response_if_verbose(upload_settings, stub_response, caplog):
     assert caplog.messages.count(response_log) == 2
 
 
-def test_success_with_pre_signed_distribution(upload_settings, stub_repository):
+def test_success_with_pre_signed_distribution(upload_settings, stub_repository, caplog):
     """Add GPG signature provided by user to uploaded package."""
     # Upload a pre-signed distribution
     result = upload.upload(
@@ -177,6 +177,12 @@ def test_success_with_pre_signed_distribution(upload_settings, stub_repository):
         b"signature",
     )
 
+    # Ensure that a warning is emitted.
+    assert (
+        "One or more packages has an associated PGP signature; these will "
+        "be silently ignored by the index" in caplog.messages
+    )
+
 
 def test_exception_with_only_pre_signed_file(upload_settings, stub_repository):
     """Raise an exception when only a signed file is uploaded."""

diff --git a/twine/commands/upload.py b/twine/commands/upload.py
@@ -124,6 +124,18 @@ def upload(upload_settings: settings.Settings, dists: List[str]) -> None:
         _make_package(filename, signatures, upload_settings) for filename in uploads
     ]
 
+    # Warn the user if they're trying to upload a PGP signature to PyPI
+    # or TestPyPI, which will (as of May 2023) ignore it.
+    # This check is currently limited to just those indices, since other
+    # indices may still support PGP signatures.
+    if any(p.gpg_signature for p in packages_to_upload) and repository_url.startswith(
+        (utils.DEFAULT_REPOSITORY, utils.TEST_REPOSITORY)
+    ):
+        logger.warning(
+            "One or more packages has an associated PGP signature; "
+            "these will be silently ignored by the index"
+        )
+
     repository = upload_settings.create_repository()
     uploaded_packages = []