On 2023-11-15 16:03:54 -0800 (-0800), Russ Allbery wrote: [...] > Well, you *can*, but you would have to then download the .tar.gz from > PyPI, perform whatever checks you need to in order to ensure it is a > faithful copy of the source release, and then sign it and put that .asc > file somewhere (such as a GitHub release artifact). [...]
Or build and sign the .tar.gz, then provide the .tar.gz file to the upload automation on GitHub for publishing to PyPI. Anyway, the related discussion topic on the Python Discourse forum is already brainstorming alternative token permissions to make it so that you can pre-create the per-project upload tokens for projects before they actually exist, or perhaps make yet another token type that can only upload an initial release and gets refused if the project already exists on PyPI, so for people who don't want to or can't use the "trusted publisher" authentication mechanism (which only supports GitHub Actions for now), there will likely be more options in the future that also avoid use of global API tokens. -- Jeremy Stanley
signature.asc
Description: PGP signature
