317 lines
11 KiB
Python
317 lines
11 KiB
Python
|
# Copyright 2015 Ian Cordasco
|
||
|
#
|
||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
# you may not use this file except in compliance with the License.
|
||
|
# You may obtain a copy of the License at
|
||
|
#
|
||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
# See the License for the specific language governing permissions and
|
||
|
# limitations under the License.
|
||
|
import hashlib
|
||
|
import io
|
||
|
import logging
|
||
|
import os
|
||
|
import re
|
||
|
import subprocess
|
||
|
from typing import Dict, NamedTuple, Optional, Sequence, Tuple, Union
|
||
|
|
||
|
import importlib_metadata
|
||
|
import pkginfo
|
||
|
from rich import print
|
||
|
|
||
|
from twine import exceptions
|
||
|
from twine import wheel
|
||
|
from twine import wininst
|
||
|
|
||
|
DIST_TYPES = {
|
||
|
"bdist_wheel": wheel.Wheel,
|
||
|
"bdist_wininst": wininst.WinInst,
|
||
|
"bdist_egg": pkginfo.BDist,
|
||
|
"sdist": pkginfo.SDist,
|
||
|
}
|
||
|
|
||
|
DIST_EXTENSIONS = {
|
||
|
".whl": "bdist_wheel",
|
||
|
".exe": "bdist_wininst",
|
||
|
".egg": "bdist_egg",
|
||
|
".tar.bz2": "sdist",
|
||
|
".tar.gz": "sdist",
|
||
|
".zip": "sdist",
|
||
|
}
|
||
|
|
||
|
MetadataValue = Union[str, Sequence[str]]
|
||
|
|
||
|
logger = logging.getLogger(__name__)
|
||
|
|
||
|
|
||
|
def _safe_name(name: str) -> str:
|
||
|
"""Convert an arbitrary string to a standard distribution name.
|
||
|
|
||
|
Any runs of non-alphanumeric/. characters are replaced with a single '-'.
|
||
|
|
||
|
Copied from pkg_resources.safe_name for compatibility with warehouse.
|
||
|
See https://github.com/pypa/twine/issues/743.
|
||
|
"""
|
||
|
return re.sub("[^A-Za-z0-9.]+", "-", name)
|
||
|
|
||
|
|
||
|
class PackageFile:
|
||
|
def __init__(
|
||
|
self,
|
||
|
filename: str,
|
||
|
comment: Optional[str],
|
||
|
metadata: pkginfo.Distribution,
|
||
|
python_version: Optional[str],
|
||
|
filetype: Optional[str],
|
||
|
) -> None:
|
||
|
self.filename = filename
|
||
|
self.basefilename = os.path.basename(filename)
|
||
|
self.comment = comment
|
||
|
self.metadata = metadata
|
||
|
self.python_version = python_version
|
||
|
self.filetype = filetype
|
||
|
self.safe_name = _safe_name(metadata.name)
|
||
|
self.signed_filename = self.filename + ".asc"
|
||
|
self.signed_basefilename = self.basefilename + ".asc"
|
||
|
self.gpg_signature: Optional[Tuple[str, bytes]] = None
|
||
|
|
||
|
hasher = HashManager(filename)
|
||
|
hasher.hash()
|
||
|
hexdigest = hasher.hexdigest()
|
||
|
|
||
|
self.md5_digest = hexdigest.md5
|
||
|
self.sha2_digest = hexdigest.sha2
|
||
|
self.blake2_256_digest = hexdigest.blake2
|
||
|
|
||
|
@classmethod
|
||
|
def from_filename(cls, filename: str, comment: Optional[str]) -> "PackageFile":
|
||
|
# Extract the metadata from the package
|
||
|
for ext, dtype in DIST_EXTENSIONS.items():
|
||
|
if filename.endswith(ext):
|
||
|
try:
|
||
|
meta = DIST_TYPES[dtype](filename)
|
||
|
except EOFError:
|
||
|
raise exceptions.InvalidDistribution(
|
||
|
"Invalid distribution file: '%s'" % os.path.basename(filename)
|
||
|
)
|
||
|
else:
|
||
|
break
|
||
|
else:
|
||
|
raise exceptions.InvalidDistribution(
|
||
|
"Unknown distribution format: '%s'" % os.path.basename(filename)
|
||
|
)
|
||
|
|
||
|
# If pkginfo encounters a metadata version it doesn't support, it may give us
|
||
|
# back empty metadata. At the very least, we should have a name and version,
|
||
|
# which could also be empty if, for example, a MANIFEST.in doesn't include
|
||
|
# setup.cfg.
|
||
|
missing_fields = [
|
||
|
f.capitalize() for f in ["name", "version"] if not getattr(meta, f)
|
||
|
]
|
||
|
if missing_fields:
|
||
|
supported_metadata = list(pkginfo.distribution.HEADER_ATTRS)
|
||
|
raise exceptions.InvalidDistribution(
|
||
|
"Metadata is missing required fields: "
|
||
|
f"{', '.join(missing_fields)}.\n"
|
||
|
"Make sure the distribution includes the files where those fields "
|
||
|
"are specified, and is using a supported Metadata-Version: "
|
||
|
f"{', '.join(supported_metadata)}."
|
||
|
)
|
||
|
|
||
|
py_version: Optional[str]
|
||
|
if dtype == "bdist_egg":
|
||
|
(dist,) = importlib_metadata.Distribution.discover( # type: ignore[no-untyped-call] # python/importlib_metadata#288 # noqa: E501
|
||
|
path=[filename]
|
||
|
)
|
||
|
py_version = dist.metadata["Version"]
|
||
|
elif dtype == "bdist_wheel":
|
||
|
py_version = meta.py_version
|
||
|
elif dtype == "bdist_wininst":
|
||
|
py_version = meta.py_version
|
||
|
else:
|
||
|
py_version = None
|
||
|
|
||
|
return cls(filename, comment, meta, py_version, dtype)
|
||
|
|
||
|
def metadata_dictionary(self) -> Dict[str, MetadataValue]:
|
||
|
"""Merge multiple sources of metadata into a single dictionary.
|
||
|
|
||
|
Includes values from filename, PKG-INFO, hashers, and signature.
|
||
|
"""
|
||
|
meta = self.metadata
|
||
|
data = {
|
||
|
# identify release
|
||
|
"name": self.safe_name,
|
||
|
"version": meta.version,
|
||
|
# file content
|
||
|
"filetype": self.filetype,
|
||
|
"pyversion": self.python_version,
|
||
|
# additional meta-data
|
||
|
"metadata_version": meta.metadata_version,
|
||
|
"summary": meta.summary,
|
||
|
"home_page": meta.home_page,
|
||
|
"author": meta.author,
|
||
|
"author_email": meta.author_email,
|
||
|
"maintainer": meta.maintainer,
|
||
|
"maintainer_email": meta.maintainer_email,
|
||
|
"license": meta.license,
|
||
|
"description": meta.description,
|
||
|
"keywords": meta.keywords,
|
||
|
"platform": meta.platforms,
|
||
|
"classifiers": meta.classifiers,
|
||
|
"download_url": meta.download_url,
|
||
|
"supported_platform": meta.supported_platforms,
|
||
|
"comment": self.comment,
|
||
|
"sha256_digest": self.sha2_digest,
|
||
|
# PEP 314
|
||
|
"provides": meta.provides,
|
||
|
"requires": meta.requires,
|
||
|
"obsoletes": meta.obsoletes,
|
||
|
# Metadata 1.2
|
||
|
"project_urls": meta.project_urls,
|
||
|
"provides_dist": meta.provides_dist,
|
||
|
"obsoletes_dist": meta.obsoletes_dist,
|
||
|
"requires_dist": meta.requires_dist,
|
||
|
"requires_external": meta.requires_external,
|
||
|
"requires_python": meta.requires_python,
|
||
|
# Metadata 2.1
|
||
|
"provides_extras": meta.provides_extras,
|
||
|
"description_content_type": meta.description_content_type,
|
||
|
# Metadata 2.2
|
||
|
"dynamic": meta.dynamic,
|
||
|
}
|
||
|
|
||
|
if self.gpg_signature is not None:
|
||
|
data["gpg_signature"] = self.gpg_signature
|
||
|
|
||
|
# FIPS disables MD5 and Blake2, making the digest values None. Some package
|
||
|
# repositories don't allow null values, so this only sends non-null values.
|
||
|
# See also: https://github.com/pypa/twine/issues/775
|
||
|
if self.md5_digest:
|
||
|
data["md5_digest"] = self.md5_digest
|
||
|
|
||
|
if self.blake2_256_digest:
|
||
|
data["blake2_256_digest"] = self.blake2_256_digest
|
||
|
|
||
|
return data
|
||
|
|
||
|
def add_gpg_signature(
|
||
|
self, signature_filepath: str, signature_filename: str
|
||
|
) -> None:
|
||
|
if self.gpg_signature is not None:
|
||
|
raise exceptions.InvalidDistribution("GPG Signature can only be added once")
|
||
|
|
||
|
with open(signature_filepath, "rb") as gpg:
|
||
|
self.gpg_signature = (signature_filename, gpg.read())
|
||
|
|
||
|
def sign(self, sign_with: str, identity: Optional[str]) -> None:
|
||
|
print(f"Signing {self.basefilename}")
|
||
|
gpg_args: Tuple[str, ...] = (sign_with, "--detach-sign")
|
||
|
if identity:
|
||
|
gpg_args += ("--local-user", identity)
|
||
|
gpg_args += ("-a", self.filename)
|
||
|
self.run_gpg(gpg_args)
|
||
|
|
||
|
self.add_gpg_signature(self.signed_filename, self.signed_basefilename)
|
||
|
|
||
|
@classmethod
|
||
|
def run_gpg(cls, gpg_args: Tuple[str, ...]) -> None:
|
||
|
try:
|
||
|
subprocess.check_call(gpg_args)
|
||
|
return
|
||
|
except FileNotFoundError:
|
||
|
if gpg_args[0] != "gpg":
|
||
|
raise exceptions.InvalidSigningExecutable(
|
||
|
f"{gpg_args[0]} executable not available."
|
||
|
)
|
||
|
|
||
|
logger.warning("gpg executable not available. Attempting fallback to gpg2.")
|
||
|
try:
|
||
|
subprocess.check_call(("gpg2",) + gpg_args[1:])
|
||
|
except FileNotFoundError:
|
||
|
raise exceptions.InvalidSigningExecutable(
|
||
|
"'gpg' or 'gpg2' executables not available.\n"
|
||
|
"Try installing one of these or specifying an executable "
|
||
|
"with the --sign-with flag."
|
||
|
)
|
||
|
|
||
|
|
||
|
class Hexdigest(NamedTuple):
|
||
|
md5: Optional[str]
|
||
|
sha2: Optional[str]
|
||
|
blake2: Optional[str]
|
||
|
|
||
|
|
||
|
class HashManager:
|
||
|
"""Manage our hashing objects for simplicity.
|
||
|
|
||
|
This will also allow us to better test this logic.
|
||
|
"""
|
||
|
|
||
|
def __init__(self, filename: str) -> None:
|
||
|
"""Initialize our manager and hasher objects."""
|
||
|
self.filename = filename
|
||
|
|
||
|
self._md5_hasher = None
|
||
|
try:
|
||
|
self._md5_hasher = hashlib.md5()
|
||
|
except ValueError:
|
||
|
# FIPs mode disables MD5
|
||
|
pass
|
||
|
|
||
|
self._sha2_hasher = hashlib.sha256()
|
||
|
|
||
|
self._blake_hasher = None
|
||
|
try:
|
||
|
self._blake_hasher = hashlib.blake2b(digest_size=256 // 8)
|
||
|
except (ValueError, TypeError):
|
||
|
# FIPS mode disables blake2
|
||
|
pass
|
||
|
|
||
|
def _md5_update(self, content: bytes) -> None:
|
||
|
if self._md5_hasher is not None:
|
||
|
self._md5_hasher.update(content)
|
||
|
|
||
|
def _md5_hexdigest(self) -> Optional[str]:
|
||
|
if self._md5_hasher is not None:
|
||
|
return self._md5_hasher.hexdigest()
|
||
|
return None
|
||
|
|
||
|
def _sha2_update(self, content: bytes) -> None:
|
||
|
if self._sha2_hasher is not None:
|
||
|
self._sha2_hasher.update(content)
|
||
|
|
||
|
def _sha2_hexdigest(self) -> Optional[str]:
|
||
|
if self._sha2_hasher is not None:
|
||
|
return self._sha2_hasher.hexdigest()
|
||
|
return None
|
||
|
|
||
|
def _blake_update(self, content: bytes) -> None:
|
||
|
if self._blake_hasher is not None:
|
||
|
self._blake_hasher.update(content)
|
||
|
|
||
|
def _blake_hexdigest(self) -> Optional[str]:
|
||
|
if self._blake_hasher is not None:
|
||
|
return self._blake_hasher.hexdigest()
|
||
|
return None
|
||
|
|
||
|
def hash(self) -> None:
|
||
|
"""Hash the file contents."""
|
||
|
with open(self.filename, "rb") as fp:
|
||
|
for content in iter(lambda: fp.read(io.DEFAULT_BUFFER_SIZE), b""):
|
||
|
self._md5_update(content)
|
||
|
self._sha2_update(content)
|
||
|
self._blake_update(content)
|
||
|
|
||
|
def hexdigest(self) -> Hexdigest:
|
||
|
"""Return the hexdigest for the file."""
|
||
|
return Hexdigest(
|
||
|
self._md5_hexdigest(),
|
||
|
self._sha2_hexdigest(),
|
||
|
self._blake_hexdigest(),
|
||
|
)
|