Merge pull request #1028 from woodruffw-forks/ww/warn-on-pgp-redux

upload: warn about potential PGP deprecation
pypa · Nov 24, 2023 · cad8a65 · cad8a65
2 parents e6f45da + d50f6a1
commit cad8a65
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 11 deletions.
diff --git a/tests/test_upload.py b/tests/test_upload.py
@@ -184,6 +184,42 @@ def test_success_with_pre_signed_distribution(upload_settings, stub_repository,
     )
 
 
+def test_warns_potential_pgp_removal_on_3p_index(
+    make_settings, stub_repository, caplog
+):
+    """Warn when a PGP signature is specified for upload to a third-party index."""
+    upload_settings = make_settings(
+        """
+        [pypi]
+        repository: https://example.com/not-a-real-index/
+        username:foo
+        password:bar
+        """
+    )
+    upload_settings.create_repository = lambda: stub_repository
+
+    # Upload a pre-signed distribution
+    result = upload.upload(
+        upload_settings, [helpers.WHEEL_FIXTURE, helpers.WHEEL_FIXTURE + ".asc"]
+    )
+    assert result is None
+
+    # The signature should be added via package.add_gpg_signature()
+    package = stub_repository.upload.calls[0].args[0]
+    assert package.gpg_signature == (
+        "twine-1.5.0-py2.py3-none-any.whl.asc",
+        b"signature",
+    )
+
+    # Ensure that a warning is emitted.
+    assert (
+        "One or more packages has an associated PGP signature; a future "
+        "version of twine may silently ignore these. See "
+        "https://github.com/pypa/twine/issues/1009 for more information"
+        in caplog.messages
+    )
+
+
 def test_exception_with_only_pre_signed_file(upload_settings, stub_repository):
     """Raise an exception when only a signed file is uploaded."""
     # Upload only pre-signed file

diff --git a/twine/commands/upload.py b/twine/commands/upload.py
@@ -124,17 +124,25 @@ def upload(upload_settings: settings.Settings, dists: List[str]) -> None:
         _make_package(filename, signatures, upload_settings) for filename in uploads
     ]
 
-    # Warn the user if they're trying to upload a PGP signature to PyPI
-    # or TestPyPI, which will (as of May 2023) ignore it.
-    # This check is currently limited to just those indices, since other
-    # indices may still support PGP signatures.
-    if any(p.gpg_signature for p in packages_to_upload) and repository_url.startswith(
-        (utils.DEFAULT_REPOSITORY, utils.TEST_REPOSITORY)
-    ):
-        logger.warning(
-            "One or more packages has an associated PGP signature; "
-            "these will be silently ignored by the index"
-        )
+    if any(p.gpg_signature for p in packages_to_upload):
+        if repository_url.startswith((utils.DEFAULT_REPOSITORY, utils.TEST_REPOSITORY)):
+            # Warn the user if they're trying to upload a PGP signature to PyPI
+            # or TestPyPI, which will (as of May 2023) ignore it.
+            # This warning is currently limited to just those indices, since other
+            # indices may still support PGP signatures.
+            logger.warning(
+                "One or more packages has an associated PGP signature; "
+                "these will be silently ignored by the index"
+            )
+        else:
+            # On other indices, warn the user that twine is considering
+            # removing PGP support outright.
+            logger.warning(
+                "One or more packages has an associated PGP signature; "
+                "a future version of twine may silently ignore these. "
+                "See https://github.com/pypa/twine/issues/1009 for more "
+                "information"
+            )
 
     repository = upload_settings.create_repository()
     uploaded_packages = []