On 2023-11-16 00:20:40 +0100 (+0100), Salvo Tomaselli wrote: > In data mercoledì 15 novembre 2023 15:58:15 CET, Jeremy Stanley ha scritto: > > why do you need to put an OpenPGP key on the service > > you're using to upload Python packages (not Debian packages) to > > PyPI, given that PyPI doesn't support uploading OpenPGP signatures > > anyway? > > I need to create a .tar.gz and a .tar.gz.asc. > > I am currently not using any service to upload to pypi. But this > requires the occasional creation and deletion of global tokens. > > The only way to avoid global tokens is to upload from github, in > which case I can no longer sign the .tar.gz. [...]
I guess what I'm still not understanding is why your upload to PyPI has to happen from the same system where the artifact was built (and possibly also where it was signed). The system with your OpenPGP signing key and build toolchain doesn't have to be the same system as where your PyPI upload credentials reside. I manage a very much non-GitHub CI/CD infrastructure that builds artifacts on one system, securely retrieves them from there and signs them on another system, then uploads them to PyPI from yet another system. The build toolchain has no direct access to the OpenPGP signing key, nor does the PyPI uploading tool. The build toolchain also has no access to the PyPI upload credentials, all of these different steps are isolated from one another by the CI/CD system. A solution like that is almost certainly overkill for casual efforts, our community has hundreds of projects with thousands of releases managed through central automation making it more worthwhile, but the point is that none of those steps needs to happen on the same system. This is why I continue not to understand how you think using PyPI's "trusted publisher" would necessitate giving your (entirely unrelated to that process) OpenPGP private key to GitHub, or to whatever future systems PyPI adds a trust relationship with for that matter for that matter. -- Jeremy Stanley
signature.asc
Description: PGP signature
