GPG signing builds?

[firecat53]

I see that hatch publish has options for a certificate and key. Is there an option like twine upload --identity for GPG signing the upload to Pypi? Thanks!

[ofek]

Hey! Not yet. What is that workflow exactly?

[firecat53]

Using setuptools/setup.py and the gh github CLI tool (or you can do a manual release on the website). I also have the gpg-agent running and my signing key in ~/.gitconfig. Pypi access token is held in ~/.pypirc.

$ git tag -s -u <gpg key uid> v1.1.0
$ git push --tags
$ gh release create v1.1.0
$ python -m build
$ twine upload -s -r pypi dist/*

[firecat53]

After a little reading, I discovered that apparently GPG python package signing is not really a thing. Pypi doesn't present the GPG signature other than through their API. There's nothing visible on the Pypi website. Other tools such as Poetry also do not incorporate GPG signatures. So I guess unless something changes with Pypi, it's a non-issue. I've been signing my packages for years and never really looked to see if it meant anything! 🤷

[ofek]

Oh that makes sense, thanks!