bpo-40698: Improve distutils upload hash digests (GH-20260)
- Fix upload test on systems that blocks MD5
- Add SHA2-256 and Blake2b-256 digests based on new Warehous and twine
specs.
Signed-off-by: Christian Heimes <christian@python.org>
diff --git a/Lib/distutils/command/upload.py b/Lib/distutils/command/upload.py
index d822ba0..95e9fda 100644
--- a/Lib/distutils/command/upload.py
+++ b/Lib/distutils/command/upload.py
@@ -16,6 +16,16 @@
from distutils.spawn import spawn
from distutils import log
+
+# PyPI Warehouse supports MD5, SHA256, and Blake2 (blake2-256)
+# https://bugs.python.org/issue40698
+_FILE_CONTENT_DIGESTS = {
+ "md5_digest": getattr(hashlib, "md5", None),
+ "sha256_digest": getattr(hashlib, "sha256", None),
+ "blake2_256_digest": getattr(hashlib, "blake2b", None),
+}
+
+
class upload(PyPIRCCommand):
description = "upload binary package to PyPI"
@@ -87,6 +97,7 @@
content = f.read()
finally:
f.close()
+
meta = self.distribution.metadata
data = {
# action
@@ -101,7 +112,6 @@
'content': (os.path.basename(filename),content),
'filetype': command,
'pyversion': pyversion,
- 'md5_digest': hashlib.md5(content).hexdigest(),
# additional meta-data
'metadata_version': '1.0',
@@ -123,6 +133,16 @@
data['comment'] = ''
+ # file content digests
+ for digest_name, digest_cons in _FILE_CONTENT_DIGESTS.items():
+ if digest_cons is None:
+ continue
+ try:
+ data[digest_name] = digest_cons(content).hexdigest()
+ except ValueError:
+ # hash digest not available or blocked by security policy
+ pass
+
if self.sign:
with open(filename + ".asc", "rb") as f:
data['gpg_signature'] = (os.path.basename(filename) + ".asc",