🔏📦 Sign distribution packages on release

This patch integrates an invocation of the `pypi-attestations`
tool[[1]] into the release automation before calling Twine. When
used locally and not within a known Trusted Publishing setup, it will
invoke an OAuth flow, opening a browser window, prompting the caller
to authenticate via GitHub. Once authorized and browser window closed,
it will proceed to signing the distribution packages[[2]] locally
using Sigstore. The resulting signatures are produced in the format
outlined in PEP 740 [[3]].

Twine is then called with `--attestations` which is what will actually
attach the digital signatures to the release on PyPI.

[1]: https://docs.pypi.org/attestations/producing-attestations/#using-pypi-attestations
[2]: https://packaging.python.org/en/latest/glossary/#term-Distribution-Package
[3]: https://peps.python.org/pep-0740/
pull/84350/head
Sviatoslav Sydorenko 5 days ago committed by Sviatoslav Sydorenko
parent 95e3af3e0f
commit 87662b82de
No known key found for this signature in database
GPG Key ID: 9345E8FEA89CA455

@ -668,6 +668,7 @@ def ensure_venv() -> dict[str, t.Any]:
ansible_requirements = ANSIBLE_REQUIREMENTS_FILE.read_text() ansible_requirements = ANSIBLE_REQUIREMENTS_FILE.read_text()
release_requirements = """ release_requirements = """
pypi-attestations # https://docs.pypi.org/attestations/producing-attestations/#using-pypi-attestations
build build
twine twine
""" """
@ -1460,7 +1461,32 @@ def publish(repository: str, prompt: bool = True) -> None:
display.show("") display.show("")
raise ApplicationError("Publishing was aborted by the user.") from None raise ApplicationError("Publishing was aborted by the user.") from None
run("twine", "upload", "-r", repository, sdist_file, wheel_file, env=env, cwd=CHECKOUT_DIR) run(
# NOTE: This initializes the OAuth flow and will use the
# NOTE: GitHub-provided OIDC identity to sign.
# Ref: https://docs.pypi.org/attestations/producing-attestations/#using-pypi-attestations
"python",
"-Im", "pypi_attestations",
"sign",
sdist_file,
wheel_file,
capture_output=True,
cwd=CHECKOUT_DIR,
env=env,
)
run(
"twine", "upload",
"--attestations",
"--disable-progress-bar",
"-r", repository,
sdist_file,
sdist_file.with_suffix(f"{sdist_file.suffix}.publish.attestation"),
wheel_file,
wheel_file.with_suffix(f"{wheel_file.suffix}.publish.attestation"),
capture_output=True,
cwd=CHECKOUT_DIR,
env=env,
)
@command @command

Loading…
Cancel
Save