Signing things

[jenstroeger]

Git allows for signing commits and tags, see also the Signing Your Work chapter. Furthermore, twine upload allows for signing packages when uploading them to a PyPI server.

Related to PR #306 and issue commitizen-tools/commitizen#575, I wanted to keep the discussion going on signing and verifying signatures in an automated workflow. Signing commits and tags not only generated by a local user (who needs to sign commits locally) but also generated by the release.yaml Action

python-package-template/.github/workflows/release.yaml

Lines 55 to 60 in f41b0e6

	- name: Create changelog and bump
	run: cz bump --changelog --yes
	- name: Push the release
	run: |
	git push
	git push --tags

and

python-package-template/.github/workflows/release.yaml

Lines 140 to 145 in f41b0e6

	# - name: Publish to PyPI server
	# run: |
	# export TWINE_USERNAME=<USERNAME>
	# export TWINE_PASSWORD=<PASSWORD>
	# export TWINE_REPOSITORY_URL=<REPOSITORY_URL>
	# twine upload --verbose dist/*.tar.gz dist/*.whl

Read the linked issue for more information, and take a look at the How to use GPG key in github actions? Also related is issue actions/runner#667.

[jenstroeger]

See also secure-python-package-template.

[jenstroeger]

There’s also discussion on signing packages, although PyPI doesn’t seem to have great support for that. See also

• How do I validate a pip package's PGP key?
• Does python's pip provide cryptographic authentication and integrity validation?
• Milestone 16 of PyPI’s Warehouse