search

Bachmann1234 / diff_cover

Automatically find diff lines that need test coverage.
Apache License 2.0
698 stars 189 forks source link

pypi releases lack verification #131

Closed dvzrv closed 4 years ago

dvzrv commented 4 years ago

Hi! I'm packaging diff_cover for Arch Linux. To fend off supply chain attacks, I'd like to do sdist verification based on a detached PGP signature. I see, that in the past PGP signatures were uploaded to pypi, but this has stopped. Additionally, tags are not verifiable by PGP either (my 2nd choice, if the pypi sdist lacks it).

It would be very awesome, if the detached PGP signatures were added to releases again! Thanks!

Bachmann1234 commented 4 years ago

Yeah, I can get back into the habit of this. Release 2.5.1 should be going out now based on signed commit https://github.com/Bachmann1234/diff_cover/commit/44fd616c667524f63bf3f6f8030a89c754992ce8

But I realize my CI is probably not set up to sign that package ... I gotta look into a safe way of doing that

Bachmann1234 commented 4 years ago

bah, on second thought thats not a good idea. Ill look into seeing if I can sign a release after its out

I realize that signing "after upload" might actually be insane. So id have to drop my auto releasing which I felt was pretty slick.

Bachmann1234 commented 4 years ago

Ok, give 2.5.2 a look. Pulled down the key and verified it so you should be all set.

dvzrv commented 4 years ago

@Bachmann1234 wow, thanks! :)

dvzrv commented 4 years ago

@Bachmann1234 did you upload your public key to a server? I can't import the key:

gpg --search-keys 54CAEABCAC2956D407348256972401BDE60128CB

pg: data source: http://78.46.239.68:11371
gpg: key "54CAEABCAC2956D407348256972401BDE60128CB" not found on keyserver
gpg: keyserver search failed: Not found
dvzrv commented 4 years ago

If you want to go for the maximum throughput, just upload to all of them (shorter time before they all synced your pubkey): https://paste.xinu.at/axX1B9w/

Bachmann1234 commented 4 years ago

@dvzrv ah, thats probably cuse im a keybase user. https://keybase.io/bachmann

Let me get that key uploaded

Bachmann1234 commented 4 years ago

Got a bunch of failures but it looks like at least a few worked. Let me know if you can find it

Bachmann1234 commented 4 years ago

@dvzrv Were you able to find my key?

Seems to work on my end

❯ gpg --search-keys 54CAEABCAC2956D407348256972401BDE60128CB
gpg: data source: https://keys.openpgp.org:443
(1) Matt Bachmann <bachmann.matt@gmail.com>
    Matt Bachmann <matt.bachmann@lola.com>
      4096 bit RSA key 972401BDE60128CB, created: 2019-05-28
Keys 1-1 of 1 for "54CAEABCAC2956D407348256972401BDE60128CB".  Enter number(s), N)ext, or Q)uit > N
dvzrv commented 4 years ago

@Bachmann1234 sorry for not getting back to you on this earlier. I've spent packaging a lot of stuff the past days.

I was able to successfully import your key and it's now in use for the package for the verification step. Thank you!