I uploaded my first package to PyPI recently. Along the way I ended up creating a GPG key which required a passphrase. As I used several tutorials along the way, I’ve lost the documentation indicating why I did this. I’d like to make sure I have everything ready for the next time I upload.
A GPG key would let you sign your build, so users can check (by verifying a cryptographic signature of a hash of a package) that really have downloaded code that has been approved by you (or someone else with your private key).
I’m interested to know what tool prompted creation of a GPG (OpenPGP
really) keypair when uploading to PyPI, but there’s little point
now. PyPI had long discouraged uploading package signatures, and has
more recently disallowed it entirely:
The recommended tool for uploading packages to PyPI is Twine, and I
don’t recall it ever prompting to create keys for you:
Oh, neat! Somehow I missed that twine will call out to GnuPG to
generate signatures. Looks like twine upload --help does mention
it though. At any rate, it’s not going to be much use at this point,
since PyPI no longer supports uploading them.
This issue discusses removal of support for it from twine, the
current counterargument being that uploads to places other than PyPI
might still support including signatures: