From: Jan Kiszka <
jan.k...@siemens.com>
It turned out that PyPI removed GPG signature support [1] long before we
added it. And we therefore also failed to ever upload the locally
generated detached signatures. Great.
Stop this futile attempt. We need to rethink the approach, ideally via
ensuring and validating binary reproducibility. Just relying on some
3rd-party (GitHub) for "trusted" publishing would not be optimal.
[1]
https://blog.pypi.org/posts/2023-05-23-removing-pgp/
Signed-off-by: Jan Kiszka <
jan.k...@siemens.com>
---
scripts/release.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/release.sh b/scripts/release.sh
index 3bdae21..703d950 100755
--- a/scripts/release.sh
+++ b/scripts/release.sh
@@ -42,7 +42,7 @@ git tag -s -m "Release $NEW_VERSION" "$NEW_VERSION"
git push --follow-tags
python3 -m build
-twine upload -s -r pypi "dist/kas-$NEW_VERSION.tar.gz" "dist/kas-$NEW_VERSION-py3-none-any.whl"
+twine upload -r pypi "dist/kas-$NEW_VERSION.tar.gz" "dist/kas-$NEW_VERSION-py3-none-any.whl"
authors=$(git shortlog -s "$OLD_VERSION".."$NEW_VERSION" | cut -c8- | paste -s -d, - | sed -e 's/,/, /g')
highlights=$(sed -e "/$OLD_VERSION$/,\$d" CHANGELOG.md)
--
2.47.3