Digitally sign before publish?

[sfc-gh-pkommini]

Hi Team,

Is there a way to digitally sign my package before publishing it to pypi? Is there a feature in here that allows for such a security publish?

[webknjaz]

Hi Prasanth,

It sounds like you're confusing two different aspects of the release flow. So let me first address that.
Publishing is the matter of sending the dists over HTTPS. So publishing itself is secure (to the extent of your trust to GHA to securely store your secrets).
Now, adding a signature is a whole other thing. Technically, PyPI still supports having signatures next to the dists but there's no proper tooling for working with them, and thus it's been discouraged for years as barely usable. If you put a signature file next to the dist, twine upload will pick it up and send it over to PyPI too.
Since we mostly just call twine upload, there's no extra configuration necessary, just create all the files prior to invoking this action.

I also want to mention that the "old way" will probably get phased out at some point and you shouldn't rely on it long-term. There is an effort of solving this problem "the right way" on scale with TUF and Sigstore but the timeline is blurry (but I haven't checked on the state of that development for a while now).

I suggest you check the state of the ecosystem once in a while but meanwhile, you could try using the old signatures. Just know that there's no verification infrastructure that you could rely on at the moment.

[webknjaz]

UPD: it's now recommended to use https://github.com/marketplace/actions/gh-action-sigstore-python to sign the artifacts.

[webknjaz]

UPD: My PyPUG guide now has an example of signing the artifacts using sigstore.

https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#signing-the-distribution-packages