Skip to content

cli: Support friendlier syntax for verify pypi command #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 11, 2025
Merged

cli: Support friendlier syntax for verify pypi command #87

merged 2 commits into from
Feb 11, 2025

Conversation

@facutuesca
Copy link
Collaborator

@facutuesca facutuesca commented Jan 15, 2025
edited
Loading

Rather than specify the full pythonhosted.org url for artifacts, now verify pypi also supports the friendlier syntax $PKG_NAME/$FILE_NAME

pypi-attestations verify pypi --repository https://github.com/sigstore/sigstore-python \
  sigstore/sigstore-3.6.1-py3-none-any.whl

This fixes #84

@facutuesca facutuesca force-pushed the ft/friendly-cli-verify branch 3 times, most recently from 2afc656 to f803566 Compare January 15, 2025 17:18
@facutuesca facutuesca requested a review from woodruffw January 15, 2025 17:20
@facutuesca
Copy link
Collaborator Author

@woodruffw wdyt about the syntax? $PKG_NAME/$FILE_NAME is sort of ambiguous (since it does look like folder/file). An alternative could be adding a prefix to the "path", something like pypi:sampleproject/sampleproject-1.0.0.tar.gz

@woodruffw
Copy link
Member

Yeah, I think this is too confusing 😅 -- having it be shorter is great, but I think you're right that it's too confusable with a local path.

Adding a prefix like pypi: would work, although IMO in that case we could drop the project/ entirely since just the wheel name should be fully unambiguous/resolvable for us (since we can parse the project from it). Thoughts? I don't love inventing new syntax for this, but given that it's an experimentation-only CLI I think it's not the worst option.

@facutuesca
Copy link
Collaborator Author

Yeah that makes sense. So it would look like:

pypi-attestations verify pypi --repository $REPO pypi:sample_project-1.0.0.tar.gz

Another option is to not use positional arguments, but options with values:

pypi-attestations verify pypi --repository $REPO --artifact-name sample_project-1.0.0.tar.gz
# and
pypi-attestations verify pypi --repository $REPO --artifact-url https://files.pythonhosted.org/....

It's not consistent with the other commands (where there is usually a positional argument for the artifact being signed over/verified), but it does make things less ambiguous. WDYT?

@woodruffw
Copy link
Member

The first form looks good to me!

@facutuesca
cli: Support friendlier syntax for verify pypi command
126eb9a 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca facutuesca force-pushed the ft/friendly-cli-verify branch 3 times, most recently from fbc6e57 to 72e48d6 Compare February 3, 2025 15:40
@facutuesca facutuesca force-pushed the ft/friendly-cli-verify branch from 72e48d6 to 4f096a2 Compare February 3, 2025 15:41
@woodruffw woodruffw merged commit 86cc7de into main Feb 11, 2025
7 checks passed
@woodruffw woodruffw deleted the ft/friendly-cli-verify branch February 11, 2025 16:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature request: support short package files identifiers as arguments for: pypi-attestations verify pypi

2 participants

@facutuesca @woodruffw