Add option to sign release artifacts with verify_release #1979
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prior to theupdateframework#1946 the verify_release script was successful if both PyPI and GitHub release artifacts matched the local build. Now, if the `--skip-pypi` option is provided, the script can also be successful if only the GitHub release artifacts match the local build. This commit splits the final success message in two separate success messages, one for PyPI and one for GitHub. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
force-pushed
the
verify_release-sign
branch
from
2b80f7b
to
89ae750
Compare
Pull Request Test Coverage Report for Build 2232657631Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
lukpueh
force-pushed
the
verify_release-sign
branch
from
89ae750
to
8711d74
Compare
lukpueh
commented
Apr 27, 2022
verify_release
Outdated
| if True: | ||
| key_id = None | ||
| if args.sign is not True: | ||
| key_id = args.sign |
There was a problem hiding this comment.
Apologies if this is becoming too arrowheady.
Add option to sign locally built release artifacts with gpg, if they match the downloaded artifacts from GitHub, PyPI. Signed-off-by: Lukas Puehringer <[email protected]>
Mention how to use verify_release with the recently added --sign option to create signatures for a verified release. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
force-pushed
the
verify_release-sign
branch
from
8711d74
to
8167889
Compare
|
I can see how this PR stretches the scope of |
joshuagl
approved these changes
Apr 27, 2022
jku
reviewed
Apr 27, 2022
verify_release
Outdated
| progress("Signing built release with gpg") | ||
| if success: | ||
| key_id = None | ||
| if args.sign is not True: |
There was a problem hiding this comment.
./verify_release --sign 8BA69B87D43BE294F23E812089A2AD3C07D962E8
There was a problem hiding this comment.
oh, it's True, False or keyid...
Actually, it is True, None or keyid
Co-authored-by: Joshua Lock <[email protected]> Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
force-pushed
the
verify_release-sign
branch
from
969331e
to
a3d5a37
Compare
jku
approved these changes
Apr 27, 2022
There was a problem hiding this comment.
Looks good to me. My concerns are:
- we're tweaking the verification code just before the release where we want to demonstrate the verification -- but the code looks safe to me so let's do it
- the important thing WRT signatures would be to make verification easier: signing happens once, but we'd like verification to happen as much as possible -- but I suppose we have to sign before we can verify :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Quickfix 2 for #1966 (I suggest to leave the issue open or create a new one for a long-term fix)
Description of the changes being introduced by the pull request:
Please verify and check that the pull request fulfills the following
requirements: