Open maltfield opened 4 months ago
Note that this issue does appear to be specific to libusb1
and not an upstream issue with PyPI.
I confirmed that the signature is still available for another project (borgbackup):
user@disp9050:~$ curl -s https://pypi.org/simple/borgbackup/ | grep -i borgbackup-1.1.13.tar.gz
<a href="https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz#sha256=164a8666a61071ce2fa6c60627c7646f12e3a8e74cd38f046be72f5ea91b3821" >borgbackup-1.1.13.tar.gz</a><br />
user@disp9050:~$
user@disp9050:~$ wget https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz
--2024-02-25 22:49:21-- https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.124.223, 2a04:4e42:1e::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.124.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3754457 (3.6M) [application/x-tar]
Saving to: ‘borgbackup-1.1.13.tar.gz’
borgbackup-1.1.13.t 100%[===================>] 3.58M 42.6KB/s in 99s
2024-02-25 22:51:13 (37.0 KB/s) - ‘borgbackup-1.1.13.tar.gz’ saved [3754457/3754457]
user@disp9050:~$
user@disp9050:~$ wget https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz.asc
--2024-02-25 22:51:18-- https://files.pythonhosted.org/packages/97/68/27d96a12f54894223ad6676ce4d215ad61771e3e723580f3ee6e609e17b7/borgbackup-1.1.13.tar.gz.asc
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.124.223, 2a04:4e42:1e::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.124.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 862 [application/octet-stream]
Saving to: ‘borgbackup-1.1.13.tar.gz.asc’
borgbackup-1.1.13.t 100%[===================>] 862 --.-KB/s in 0.007s
2024-02-25 22:51:19 (115 KB/s) - ‘borgbackup-1.1.13.tar.gz.asc’ saved [862/862]
user@disp9050:~$
user@disp9050:~$ gpg --verify borgbackup-1.1.13.tar.gz.asc
gpg: assuming signed data in 'borgbackup-1.1.13.tar.gz'
gpg: Signature made Sat 06 Jun 2020 05:37:32 PM -05
gpg: using RSA key 2F81AFFBAB04E11FE8EE65D4243ACFA951F78E01
gpg: issuer "tw@waldmann-edv.de"
gpg: Good signature from "Thomas Waldmann <tw@waldmann-edv.de>" [unknown]
gpg: aka "Thomas Waldmann <thomas.j.waldmann@gmail.com>" [unknown]
gpg: aka "Thomas Waldmann <tw-public@gmx.de>" [unknown]
gpg: aka "Thomas Waldmann <twaldmann@thinkmo.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
Subkey fingerprint: 2F81 AFFB AB04 E11F E8EE 65D4 243A CFA9 51F7 8E01
user@disp9050:~$
Thank you for this detailed bug report.
Note that this issue does appear to be specific to
libusb1
and not an upstream issue with PyPI.
Indeed. Looks like it is even specific to the latest release:
$ curl --silent --request HEAD --write-out '%{http_code} %{url}\n' $(curl -s https://pypi.org/simple/libusb1/ | grep -i py3-none-any.whl | sed 's/.*href="\([^#]*\).*/\1.asc/')
200 https://files.pythonhosted.org/packages/fa/8e/7f3fdabe77d2b03e8eec31874bc4ecdb73b4f085698ccbc75b2b105b6dfd/libusb1-1.9-py3-none-any.whl.asc
200 https://files.pythonhosted.org/packages/3c/4b/0c8b566d21f8920019237cc9f919e0aeeb43aa350819ea4bcdd2788f39a3/libusb1-1.9.1-py3-none-any.whl.asc
200 https://files.pythonhosted.org/packages/14/bd/29515a44719569aa0942551571d89539a1c0633eb78a6d695b462145827f/libusb1-1.9.2-py3-none-any.whl.asc
200 https://files.pythonhosted.org/packages/b6/f7/be261cd16470bb732137288da2ea09fe983935325e47f986c42ca098eec2/libusb1-1.9.3-py3-none-any.whl.asc
200 https://files.pythonhosted.org/packages/75/02/d609f752af9cd0365479875a28d2f4ad7adfa9b1aa6772445bcc6884fe15/libusb1-1.10.1-py3-none-any.whl.asc
200 https://files.pythonhosted.org/packages/08/57/f07415f47e9fcd4034c73f0b5a72b752c6a82089f74c9b3d304c9a7e3a49/libusb1-2.0.0-py3-none-any.whl.asc
200 https://files.pythonhosted.org/packages/d2/43/86ee846c6c2ac858645eca239030247fae4f5d764177ce4fb9bedb05e41a/libusb1-2.0.1-py3-none-any.whl.asc
200 https://files.pythonhosted.org/packages/e0/a0/bfe18a27c5c8e8922bdd7f1ac67c10da907b95c00c3baa92e0dd463d02b6/libusb1-3.0.0-py3-none-any.whl.asc
404 https://files.pythonhosted.org/packages/85/5c/9169aea7690df382b677d9f725accc3ec864849c5ab49991e3823a942392/libusb1-3.1.0-py3-none-any.whl.asc
IIRC it is not possible to add files to an existing release, so I most likely have to release a new version.
While I guess it does not help much now, I see I did generate those signatures when I released and they do match the twine upload
command pattern setup.sh
outputs at the end, so I have no idea how they did not get uploaded while the rest of the release was:
$ release_prefix=dist/libusb1-3.1.0
$ ls -l ${release_prefix}-*.whl{,.asc} ${release_prefix}.tar.gz{,.asc}
-rw-r--r-- 1 vincent vincent 62368 29 oct. 03:09 dist/libusb1-3.1.0-py3-none-any.whl
-rw-r--r-- 1 vincent vincent 833 29 oct. 03:11 dist/libusb1-3.1.0-py3-none-any.whl.asc
-rw-r--r-- 1 vincent vincent 127838 29 oct. 03:09 dist/libusb1-3.1.0-py3-none-win32.whl
-rw-r--r-- 1 vincent vincent 833 29 oct. 03:11 dist/libusb1-3.1.0-py3-none-win32.whl.asc
-rw-r--r-- 1 vincent vincent 140380 29 oct. 03:09 dist/libusb1-3.1.0-py3-none-win_amd64.whl
-rw-r--r-- 1 vincent vincent 833 29 oct. 03:11 dist/libusb1-3.1.0-py3-none-win_amd64.whl.asc
-rw-r--r-- 1 vincent vincent 83013 29 oct. 03:09 dist/libusb1-3.1.0.tar.gz
-rw-r--r-- 1 vincent vincent 833 29 oct. 03:11 dist/libusb1-3.1.0.tar.gz.asc
In addition to attempting a new release, can you also please add all the release files as a release on GitHub?
That would provide a redundant method for downstream consumers of python-libusb1
to be able to safely obtain this dependency, even if there's issues on PyPI's website.
Good idea. I created the 3.0.0 and 3.1.0 releases.
Also, as libusb1 released 1.0.27 since I released 3.1.0 I intend to port the features it brings to python-libusb1 before doing a new release, so it is going to need more time.
I created the 3.0.0 and 3.1.0 releases.
Great, that unblocks us for now so we can safely build our app again. Thanks :)
Describe the bug The cryptographic signature of the
libusb1
module on PyPI has gone missing (404 Not Found)To Reproduce
Steps to reproduce the behavior (following the instructions found here):
.whl
file from the pypi.org simple API.asc
to the URL of the.whl
file's URL and attempt to download itExample execution
Note that the file is available; just the signature is not.
Expected behavior
I should be able to download both the
libusb1
payload and its cryptographic signature as before (and my builds shouldn't be breaking due to this bug).