Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-19348

add support for upload and download of pre-signed Python package .asc files using twine upload --sign

    Details

      Description

      From https://pypi.org/project/twine/

      Finally, twine allows you to pre-sign your files and pass the .asc files into the command line invocation (twine upload myproject-1.0.1.tar.gz myproject-1.0.1.tar.gz.asc). This enables you to be assured that you’re typing your gpg passphrase into gpg itself and not anything else, since you will be the one directly executing gpg --detach-sign -a <filename>.

      See specifically the --sign option and these references:

      https://warehouse.readthedocs.io/api-reference/legacy/#get--simple--project--
      https://github.com/pypa/twine/issues/382

      The problem is the asc files are not retrievable from a NXRM3 PyPI hosted repository and support of this feature seems absent.

      Expected

        Attachments

          Activity

            People

            Assignee:
            oshiyanbade Olu Shiyanbade
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Michael Prescott Michael Prescott
            Team:
            NXRM - Cypher
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title