GPG key created when uploading package to PyPI

jhanarato · October 6, 2023, 12:30pm

Slightly embarrassing:

I uploaded my first package to PyPI recently. Along the way I ended up creating a GPG key which required a passphrase. As I used several tutorials along the way, I’ve lost the documentation indicating why I did this. I’d like to make sure I have everything ready for the next time I upload.

I’m on Linux Mint.

Many thanks,

J.R.

JamesParrott · October 6, 2023, 12:43pm

A GPG key would let you sign your build, so users can check (by verifying a cryptographic signature of a hash of a package) that really have downloaded code that has been approved by you (or someone else with your private key).

fungi · October 6, 2023, 2:08pm

I’m interested to know what tool prompted creation of a GPG (OpenPGP
really) keypair when uploading to PyPI, but there’s little point
now. PyPI had long discouraged uploading package signatures, and has
more recently disallowed it entirely:

The recommended tool for uploading packages to PyPI is Twine, and I
don’t recall it ever prompting to create keys for you:

jhanarato · October 7, 2023, 12:59am

Thanks @fungi & @JamesParrott.

Here’s the package:

Is it possible to tell whether it’s been signed?

jhanarato · October 7, 2023, 1:14am

I’m guessing I invoked twine with the sign flag:

twine upload -s

jhanarato · October 7, 2023, 1:21am

Hmm… nope. Fortunately I have the terminal history in PyCharm:

python3 -m build
python3 -m twine upload dist/*

I pretty much followed this to the letter:

https://packaging.python.org/en/latest/tutorials/packaging-projects/

Python version is 3.10.12 Perhaps that’s the culprit?

fungi · October 7, 2023, 8:46pm

I’m guessing I invoked twine with the sign flag:

twine upload -s

Oh, neat! Somehow I missed that twine will call out to GnuPG to
generate signatures. Looks like twine upload --help does mention
it though. At any rate, it’s not going to be much use at this point,
since PyPI no longer supports uploading them.

This issue discusses removal of support for it from twine, the
current counterargument being that uploads to places other than PyPI
might still support including signatures:

github.com/pypa/twine

Deprecate (and eventually remove) PGP/GPG support?

opened 02:27PM - 27 Aug 23 UTC

woodruffw

First of all, thank you for `twine`! I'm a daily user both professionally and pe…rsonally, and it's been a joy to use. This is intended to be an RFC/proposal issue for a feature removal, so I've elided some sections below where I believed them to be irrelevant. Please let me know if I re-add them. ## The Issue PyPI [removed PGP support in May 2023](https://blog.pypi.org/posts/2023-05-23-removing-pgp/): since then, pre-existing PGP signatures have continued to be hosted, but new signatures are silently ignored when uploaded alongside a new distribution version. `twine` still has a handful of flags and options that reflect PyPI's previous support for PGP, namely `--sign`, `--sign-with`, and `--identity`. These flags still take effect and perform local actions, but ultimately have no effect on the state of the package index. This in turn is a potential source of user confusion: while the index's behavior has been publicly documented, the presence of "supported" PGP/GPG flags on the uploading client side might lead them to believe that some form of PGP signature uploading is still supported or effective. ## The Proposal I propose a deprecation and removal period for these flags, as well as their corresponding parts of the `twine` codebase. In particular, I propose two discrete phases: a deprecation period during which time these flags cause `DeprecationWarning`s (or similar), followed by a hard removal period during which the `twine` CLI no longer recognizes them and exits with a failure code. The use of a deprecation period here is arguably a little funky, since the underlying behavior has already been removed on the index side. On the other hand there is probably a decent amount of CI/CD automation out there currently using these flags (effectively as no-ops), so giving them a deprecation period before making a breaking change on the `twine` CLI side will help them perform a graceful migration. ## Other considerations This is intended to be a non-exhaustive list: * Other indices? `twine` supports uploading to an arbitrary index; are there popular third-party indices that still support PGP signatures? * Alignment with other uploading clients? I don't think Poetry ever supported PGP signatures; I'm not sure about others. --- Please let me know what you think! If this proposal seems interesting and valuable, then I'd be more than happy to do the work here.

JamesParrott · October 15, 2023, 9:52pm

Is it possible to tell whether it’s been signed?

You need a signature file for starters. They normally look like .sig. I couldn’t find one.