"twine upload" usually fails to upload .asc files #132
Comments
|
Hey @warner, could you provide the output of Thanks for reporting this |
|
It's on OS-X (10.10.5), using python 2.7.10 (from homebrew), so the shell is responsible for expanding the glob. I'm pretty sure I was using:
While debugging it, I added a As best I could figure, the problem was a combination of a couple of things in 1.6.1, when I ran it with a command that expands to
# Determine if the user has passed in pre-signed distributions
signatures = dict(
(os.path.basename(d), d) for d in dists if d.endswith(".asc")
)The for filename in uploads:
package = PackageFile.from_filename(filename, comment)and self.signed_filename = self.filename + '.asc'And then signed_name = package.signed_filename
if signed_name in signatures:
with open(signatures[signed_name], "rb") as gpg:
package.gpg_signature = (signed_name, gpg.read())but by that point it's comparing the path-bearing Thanks for digging into this! |
|
With twine 1.5.0, I (just) successfully made another upload of txtorcon that included signatures properly. The command-lines used are in the my Makefile: https://github.com/meejah/txtorcon/blob/master/Makefile#L101 I have not tried with other Twine versions. |
|
This probably has something to do with the refactor that I did pre-1.6.0. Now that @warner has provided the debugging information, I'll try to release 1.6.2 tonight. Thanks all! |
Remove commented out code that is no longer relevant. Conveniently, those comments also confirmed the bug report (in that I had refactored incorrectly). This commit: - Adds signed_basefilename to PackageFile - Uses signed_basefilename appropriately - Corrects typo in PackageFile.sign - Uses signed_basefilename in PackageFile.sign - Adds PackageFile.add_gpg_signature to reduce duplication Closes pypa#132
If we receive a glob that was unexpanded, we already expand that. However, we were not then updating our signatures dictionary and as such we were probably uploading packages and signatures incorrectly in that very rare case. This changes twine-upload to expand those globs much earlier in the execution so we do not miss any signature data or anything else while uploading a package. Related to pypa#132
|
@warner I released 1.6.2 a few seconds ago. Cheers! |
|
great, thanks! |
On the most recent Foolscap release, I signed the sdist tarballs as usual, and tried to use twine to upload everything:
Twine uploaded the tar/zip/whl files, but ignored the .asc signatures, and the resulting pypi page doesn't show them either.
After some digging, I found that
twine/upload.py upload()will only use pre-signed .asc files if the command was run likecd dist; twine upload *. It won't use them if it was run ascd dist; twine upload ./*ortwine upload dist/*. The problem seems to be that thesignaturesdictionary is indexed by the basename of the signature files, while the lookup key is using the full (original) filename of the tarball/etc with ".asc" appended.I think it might be simpler and safer to have the code just check for a neighboring .asc file inside the upload loop, something like:
I'll write up a patch for this. I started to look for a way of adding a test, but the code that looks for signatures happens deep enough in
upload()that it'd need a oversized mock "Repository" class to exercise the .asc check without actually uploading anything. I'm not sure what the best way to approach the test would be.The text was updated successfully, but these errors were encountered: