search

jenstroeger / python-package-template

An opinionated Python package/application template repository, with SLSA and SBOM support built in, enabled for security scanners, code linters, typing, testing and code coverage monitoring, and release automation for reproducible builds.
MIT License
34 stars 11 forks source link

Signing things #332

Open jenstroeger opened 2 years ago

jenstroeger commented 2 years ago

Git allows for signing commits and tags, see also the Signing Your Work chapter. Furthermore, twine upload allows for signing packages when uploading them to a PyPI server.

Related to PR https://github.com/jenstroeger/python-package-template/pull/306 and issue https://github.com/commitizen-tools/commitizen/issues/575, I wanted to keep the discussion going on signing and verifying signatures in an automated workflow. Signing commits and tags not only generated by a local user (who needs to sign commits locally) but also generated by the release.yaml Action

https://github.com/jenstroeger/python-package-template/blob/f41b0e6a46061081370253b9ac17a1b62b5c85dc/.github/workflows/release.yaml#L55-L60

and

https://github.com/jenstroeger/python-package-template/blob/f41b0e6a46061081370253b9ac17a1b62b5c85dc/.github/workflows/release.yaml#L140-L145

Read the linked issue for more information, and take a look at the How to use GPG key in github actions? Also related is issue https://github.com/actions/runner/issues/667.

jenstroeger commented 1 year ago

See also secure-python-package-template.

jenstroeger commented 1 year ago

There’s also discussion on signing packages, although PyPI doesn’t seem to have great support for that. See also