upload: warn the user if their signature(s) are ignored

pypa / twine

Utilities for interacting with PyPI

https://twine.readthedocs.io/

Apache License 2.0

1.61k stars 308 forks source link

upload: warn the user if their signature(s) are ignored #1010

Closed woodruffw closed 1 year ago

woodruffw commented 1 year ago

This is an initial step towards #1009: if twine upload sees that any to-be-uploaded dist has an associated PGP signature and that the index URL looks like pypi.org (i.e. PyPI or TestPyPI), it emits a warning notifying the user that their PGP signature will be silently ignored.

See #1009.

sigmavirus24 commented 1 year ago

Thanks @woodruffw I think one warning (rather than one per artifact) is best for now. I think a second warning for non-PyPI URLs could be useful to indicate we're considering removing support altogether and not just for PyPI uploads (with a link to the issue you opened or some other venue).

woodruffw commented 1 year ago

Thanks!

I think a second warning for non-PyPI URLs could be useful to indicate we're considering removing support altogether and not just for PyPI uploads (with a link to the issue you opened or some other venue).

Sounds good to me -- I can open a PR for that tomorrow.