From 3a2f02f7db0dec986c11af0b0a4a2b1442cdc722 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 7 Oct 2024 12:19:46 -0400 Subject: [PATCH] _cli: handle dists vs. attestations as inputs more gracefully See #55. Signed-off-by: William Woodruff --- src/pypi_attestations/_cli.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/pypi_attestations/_cli.py b/src/pypi_attestations/_cli.py index 394fdda..654a556 100644 --- a/src/pypi_attestations/_cli.py +++ b/src/pypi_attestations/_cli.py @@ -264,22 +264,34 @@ def _verify(args: argparse.Namespace) -> None: should_exist=True, ) + inputs: list[Path] = [] for file_path in args.files: - attestation_path = Path(f"{file_path}.publish.attestation") + # Collect only the inputs themselves, not their attestations. + # Attestation paths are inferred subsequently. + if file_path.name.endswith(".publish.attestation"): + _logger.warning(f"skipping attestation path while collecting file inputs: {file_path}") + continue + inputs.append(file_path) + + if not inputs: + _die("No inputs given; make sure you passed distributions and not attestations as inputs") + + for input in inputs: + attestation_path = Path(f"{input}.publish.attestation") try: attestation = Attestation.model_validate_json(attestation_path.read_text()) except ValidationError as validation_error: - _die(f"Invalid attestation ({file_path}): {validation_error}") + _die(f"Invalid attestation ({attestation_path}): {validation_error}") try: - dist = Distribution.from_file(file_path) + dist = Distribution.from_file(input) except ValidationError as e: _die(f"Invalid Python package distribution: {e}") try: attestation.verify(verifier, pol, dist) except VerificationError as verification_error: - _die(f"Verification failed for {file_path}: {verification_error}") + _die(f"Verification failed for {input}: {verification_error}") _logger.info(f"OK: {attestation_path}")