Re: PyPI and OpenPGP keys (was: RFC: advise against using Proton Mail for Debian work?)

To: debian-devel@lists.debian.org
Subject: Re: PyPI and OpenPGP keys (was: RFC: advise against using Proton Mail for Debian work?)
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 15 Nov 2023 23:50:55 +0000
Message-id: <[🔎] 20231115235055.sqaq5mlolqibbvg2@yuggoth.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 3641261.5fSG56mABF@galatea>
References: <[🔎] 87r0krx5rx.fsf@digitalmercury.freeddns.org> <[🔎] 3714635.44csPzL39Z@galatea> <[🔎] 20231115145814.66vbvmdltasemvvy@yuggoth.org> <[🔎] 3641261.5fSG56mABF@galatea>

On 2023-11-16 00:20:40 +0100 (+0100), Salvo Tomaselli wrote:
> In data mercoledì 15 novembre 2023 15:58:15 CET, Jeremy Stanley ha scritto:
> > why do you need to put an OpenPGP key on the service
> > you're using to upload Python packages (not Debian packages) to
> > PyPI, given that PyPI doesn't support uploading OpenPGP signatures
> > anyway?
> 
> I need to create a .tar.gz and a .tar.gz.asc.
> 
> I am currently not using any service to upload to pypi. But this
> requires the occasional creation and deletion of global tokens.
> 
> The only way to avoid global tokens is to upload from github, in
> which case I can no longer sign the .tar.gz.
[...]

I guess what I'm still not understanding is why your upload to PyPI
has to happen from the same system where the artifact was built (and
possibly also where it was signed). The system with your OpenPGP
signing key and build toolchain doesn't have to be the same system
as where your PyPI upload credentials reside.

I manage a very much non-GitHub CI/CD infrastructure that builds
artifacts on one system, securely retrieves them from there and
signs them on another system, then uploads them to PyPI from yet
another system. The build toolchain has no direct access to the
OpenPGP signing key, nor does the PyPI uploading tool. The build
toolchain also has no access to the PyPI upload credentials, all of
these different steps are isolated from one another by the CI/CD
system.

A solution like that is almost certainly overkill for casual
efforts, our community has hundreds of projects with thousands of
releases managed through central automation making it more
worthwhile, but the point is that none of those steps needs to
happen on the same system. This is why I continue not to understand
how you think using PyPI's "trusted publisher" would necessitate
giving your (entirely unrelated to that process) OpenPGP private key
to GitHub, or to whatever future systems PyPI adds a trust
relationship with for that matter for that matter.
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: PyPI and OpenPGP keys (was: RFC: advise against using Proton Mail for Debian work?)
  - From: Salvo Tomaselli <tiposchi@tiscali.it>

References:
- RFC: advise against using Proton Mail for Debian work?
  - From: Nicholas D Steeves <sten@debian.org>
- Re: RFC: advise against using Proton Mail for Debian work?
  - From: Salvo Tomaselli <tiposchi@tiscali.it>
- Re: RFC: advise against using Proton Mail for Debian work?
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: RFC: advise against using Proton Mail for Debian work?
  - From: Salvo Tomaselli <tiposchi@tiscali.it>

Prev by Date: Bug#1056004: ITP: python-pyrgg -- Python Random Graph Generator
Next by Date: Re: RFC: advise against using Proton Mail for Debian work?
Previous by thread: Re: RFC: advise against using Proton Mail for Debian work?
Next by thread: Re: PyPI and OpenPGP keys (was: RFC: advise against using Proton Mail for Debian work?)
Index(es):
- Date
- Thread