Closed dvzrv closed 4 years ago
Yeah, I can get back into the habit of this. Release 2.5.1 should be going out now based on signed commit https://github.com/Bachmann1234/diff_cover/commit/44fd616c667524f63bf3f6f8030a89c754992ce8
But I realize my CI is probably not set up to sign that package ... I gotta look into a safe way of doing that
bah, on second thought thats not a good idea. Ill look into seeing if I can sign a release after its out
I realize that signing "after upload" might actually be insane. So id have to drop my auto releasing which I felt was pretty slick.
Ok, give 2.5.2
a look. Pulled down the key and verified it so you should be all set.
@Bachmann1234 wow, thanks! :)
@Bachmann1234 did you upload your public key to a server? I can't import the key:
gpg --search-keys 54CAEABCAC2956D407348256972401BDE60128CB
pg: data source: http://78.46.239.68:11371
gpg: key "54CAEABCAC2956D407348256972401BDE60128CB" not found on keyserver
gpg: keyserver search failed: Not found
If you want to go for the maximum throughput, just upload to all of them (shorter time before they all synced your pubkey): https://paste.xinu.at/axX1B9w/
@dvzrv ah, thats probably cuse im a keybase user. https://keybase.io/bachmann
Let me get that key uploaded
Got a bunch of failures but it looks like at least a few worked. Let me know if you can find it
@dvzrv Were you able to find my key?
Seems to work on my end
❯ gpg --search-keys 54CAEABCAC2956D407348256972401BDE60128CB
gpg: data source: https://keys.openpgp.org:443
(1) Matt Bachmann <bachmann.matt@gmail.com>
Matt Bachmann <matt.bachmann@lola.com>
4096 bit RSA key 972401BDE60128CB, created: 2019-05-28
Keys 1-1 of 1 for "54CAEABCAC2956D407348256972401BDE60128CB". Enter number(s), N)ext, or Q)uit > N
@Bachmann1234 sorry for not getting back to you on this earlier. I've spent packaging a lot of stuff the past days.
I was able to successfully import your key and it's now in use for the package for the verification step. Thank you!
Hi! I'm packaging diff_cover for Arch Linux. To fend off supply chain attacks, I'd like to do sdist verification based on a detached PGP signature. I see, that in the past PGP signatures were uploaded to pypi, but this has stopped. Additionally, tags are not verifiable by PGP either (my 2nd choice, if the pypi sdist lacks it).
It would be very awesome, if the detached PGP signatures were added to releases again! Thanks!