-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to sign release artifacts with verify_release #1979
Conversation
Prior to theupdateframework#1946 the verify_release script was successful if both PyPI and GitHub release artifacts matched the local build. Now, if the `--skip-pypi` option is provided, the script can also be successful if only the GitHub release artifacts match the local build. This commit splits the final success message in two separate success messages, one for PyPI and one for GitHub. Signed-off-by: Lukas Puehringer <[email protected]>
2b80f7b
to
89ae750
Compare
Pull Request Test Coverage Report for Build 2232657631Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
89ae750
to
8711d74
Compare
verify_release
Outdated
if True: | ||
key_id = None | ||
if args.sign is not True: | ||
key_id = args.sign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies if this is becoming too arrowheady.
Add option to sign locally built release artifacts with gpg, if they match the downloaded artifacts from GitHub, PyPI. Signed-off-by: Lukas Puehringer <[email protected]>
Mention how to use verify_release with the recently added --sign option to create signatures for a verified release. Signed-off-by: Lukas Puehringer <[email protected]>
8711d74
to
8167889
Compare
I can see how this PR stretches the scope of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very cool. This LGTM as is, but I made some minor suggestions inline which you may feel free to accept or ignore.
verify_release
Outdated
progress("Signing built release with gpg") | ||
if success: | ||
key_id = None | ||
if args.sign is not True: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when could this be non-true?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, it's True, False or keyid...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
./verify_release --sign 8BA69B87D43BE294F23E812089A2AD3C07D962E8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, it's True, False or keyid...
Actually, it is True, None or keyid
Co-authored-by: Joshua Lock <[email protected]> Signed-off-by: Lukas Puehringer <[email protected]>
969331e
to
a3d5a37
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. My concerns are:
- we're tweaking the verification code just before the release where we want to demonstrate the verification -- but the code looks safe to me so let's do it
- the important thing WRT signatures would be to make verification easier: signing happens once, but we'd like verification to happen as much as possible -- but I suppose we have to sign before we can verify :)
Quickfix 2 for #1966 (I suggest to leave the issue open or create a new one for a long-term fix)
Description of the changes being introduced by the pull request:
Please verify and check that the pull request fulfills the following
requirements: