pypiratzzi: No More Signatures on PyPI

August 11, 2023

The Python Package Index (PyPI) has recently decided to stop allowing publishers to upload crytographic signatures.

There is a summary on LWN. The main justification seems to be that this hidden feature wasn’t used very successfully.

Now What? Shave Yak 1

Whether one agrees with this justification or not, I now have to find “somewhere else” to put signatures. In txtorcon I have been committing the signatures to git (as well as uploading to PyPI) for some time; Debian seems happy to consume the signatures this way.

Other projects don’t necessarily do this. For example, magic-wormhole only has signatures available on PyPI.

So now, to do a release of that, I need to figure out “somewhere else” to put signatures.

Fine, I’ll put them in ./signatures/*.asc – but what about the old ones?

Shave Yak 2

The PyPI blog post about their new feature to silently ignore uploaded signatures says that existing signatures “may be removed in the future”.

Since they’re still available and working now, it’s time to write more software!

pypiratzzi

I hereby release pypiratzzi.

This software will (try to) download all the signatures for a particular package from PyPI. You can currently install it with pip install pypiratzzi.