Merge pull request #1099 from woodruffw-forks/ww/attestations-error

upload: prevent --attestations on non-PyPI indices
pypa · May 2, 2024 · 5d17a43 · 5d17a43
2 parents 0ec5d18 + 6af785e
commit 5d17a43
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/tests/test_upload.py b/tests/test_upload.py
@@ -670,3 +670,16 @@ def test_check_status_code_for_wrong_repo_url(repo_url, upload_settings, stub_re
                 helpers.NEW_WHEEL_FIXTURE,
             ],
         )
+
+
+def test_upload_rejects_attestations_non_pypi(upload_settings):
+    upload_settings.repository_config["repository"] = "https://notpypi.example.com"
+    upload_settings.attestations = True
+
+    with pytest.raises(
+        exceptions.InvalidConfiguration, match="may only be used with PyPI and TestPyPI"
+    ):
+        upload.upload(
+            upload_settings,
+            [helpers.WHEEL_FIXTURE, helpers.WHEEL_FIXTURE + ".foo.attestation"],
+        )
diff --git a/twine/commands/upload.py b/twine/commands/upload.py
@@ -170,12 +170,24 @@ def upload(upload_settings: settings.Settings, dists: List[str]) -> None:
     :raises requests.HTTPError:
         The repository responded with an error.
     """
+    upload_settings.check_repository_url()
+    repository_url = cast(str, upload_settings.repository_config["repository"])
+
+    # Attestations are only supported on PyPI and TestPyPI at the moment.
+    # We fail early here if the user requests any other index, to prevent
+    # users from attempting to use `--attestations` on other indices and
+    # failing bugs when upload fails.
+    if upload_settings.attestations and not repository_url.startswith(
+        (utils.DEFAULT_REPOSITORY, utils.TEST_REPOSITORY)
+    ):
+        raise exceptions.InvalidConfiguration(
+            "The --attestations flag may only be used with PyPI and TestPyPI"
+        )
+
     dists = commands._find_dists(dists)
     # Determine if the user has passed in pre-signed distributions or any attestations.
     uploads, signatures, attestations_by_dist = _split_inputs(dists)
 
-    upload_settings.check_repository_url()
-    repository_url = cast(str, upload_settings.repository_config["repository"])
     print(f"Uploading distributions to {repository_url}")
 
     packages_to_upload = [