Finally, twine allows you to pre-sign your files and pass the .asc files into the command line invocation (twine upload myproject-1.0.1.tar.gz myproject-1.0.1.tar.gz.asc). This enables you to be assured that you’re typing your gpg passphrase into gpg itself and not anything else, since you will be the one directly executing gpg --detach-sign -a <filename>.
See specifically the --sign option and these references:
The problem is the asc files are not retrievable from a NXRM3 PyPI hosted repository and support of this feature seems absent.
- use twine upload --sign to generate asc files and have a hosted pypi repo store these
- allow HTTP GET of the .asc files as per https://warehouse.readthedocs.io/api-reference/legacy/#get--simple--project--