diff options
| author | Christian Heimes <christian@python.org> | 2020-05-20 16:37:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-20 07:37:25 -0700 |
| commit | 5210488f65e41038e5721d31792fae784c39d649 (patch) | |
| tree | ea917d4de967daa8a9727657e8a9f62045415ddc /command/upload.py | |
| parent | b9d48323ce2571376ba34c05d65450f66e1581e9 (diff) | |
| download | python-setuptools-git-5210488f65e41038e5721d31792fae784c39d649.tar.gz | |
bpo-40698: Improve distutils upload hash digests (GH-20260)
- Fix upload test on systems that blocks MD5
- Add SHA2-256 and Blake2b-256 digests based on new Warehous and twine
specs.
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'command/upload.py')
| -rw-r--r-- | command/upload.py | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/command/upload.py b/command/upload.py index d822ba01..95e9fda1 100644 --- a/command/upload.py +++ b/command/upload.py @@ -16,6 +16,16 @@ from distutils.core import PyPIRCCommand from distutils.spawn import spawn from distutils import log + +# PyPI Warehouse supports MD5, SHA256, and Blake2 (blake2-256) +# https://bugs.python.org/issue40698 +_FILE_CONTENT_DIGESTS = { + "md5_digest": getattr(hashlib, "md5", None), + "sha256_digest": getattr(hashlib, "sha256", None), + "blake2_256_digest": getattr(hashlib, "blake2b", None), +} + + class upload(PyPIRCCommand): description = "upload binary package to PyPI" @@ -87,6 +97,7 @@ class upload(PyPIRCCommand): content = f.read() finally: f.close() + meta = self.distribution.metadata data = { # action @@ -101,7 +112,6 @@ class upload(PyPIRCCommand): 'content': (os.path.basename(filename),content), 'filetype': command, 'pyversion': pyversion, - 'md5_digest': hashlib.md5(content).hexdigest(), # additional meta-data 'metadata_version': '1.0', @@ -123,6 +133,16 @@ class upload(PyPIRCCommand): data['comment'] = '' + # file content digests + for digest_name, digest_cons in _FILE_CONTENT_DIGESTS.items(): + if digest_cons is None: + continue + try: + data[digest_name] = digest_cons(content).hexdigest() + except ValueError: + # hash digest not available or blocked by security policy + pass + if self.sign: with open(filename + ".asc", "rb") as f: data['gpg_signature'] = (os.path.basename(filename) + ".asc", |