diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 0a71c6e..dc58ab8 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -13,6 +13,7 @@ jobs: python: - "3.11" - "3.12" + - "3.13" runs-on: ubuntu-latest permissions: id-token: write # unit tests use the ambient OIDC credential @@ -24,6 +25,7 @@ jobs: python-version: ${{ matrix.python }} cache: "pip" cache-dependency-path: pyproject.toml + allow-prereleases: true - name: test run: make test INSTALL_EXTRA=test diff --git a/CHANGELOG.md b/CHANGELOG.md index 60c5e13..acf21aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed + +- `python -m pypi_attestations verify` now exits with a non-zero exit code + if the verification step fails + ([#57](https://github.com/trailofbits/pypi-attestations/pull/57)) + ## [0.0.12] ### Fixed diff --git a/src/pypi_attestations/_cli.py b/src/pypi_attestations/_cli.py index 4fdc791..394fdda 100644 --- a/src/pypi_attestations/_cli.py +++ b/src/pypi_attestations/_cli.py @@ -279,8 +279,7 @@ def _verify(args: argparse.Namespace) -> None: try: attestation.verify(verifier, pol, dist) except VerificationError as verification_error: - _logger.error("Verification failed for %s: %s", file_path, verification_error) - continue + _die(f"Verification failed for {file_path}: {verification_error}") _logger.info(f"OK: {attestation_path}") diff --git a/test/test_cli.py b/test/test_cli.py index 969568c..a75d345 100644 --- a/test/test_cli.py +++ b/test/test_cli.py @@ -191,15 +191,16 @@ def test_verify_command(caplog: pytest.LogCaptureFixture, monkeypatch: pytest.Mo caplog.clear() - # Failure from the Sigstore environment - run_main_with_command( - [ - "verify", - "--identity", - "william@yossarian.net", - artifact_path.as_posix(), - ] - ) + with pytest.raises(SystemExit): + # Failure from the Sigstore environment + run_main_with_command( + [ + "verify", + "--identity", + "william@yossarian.net", + artifact_path.as_posix(), + ] + ) assert ( "Verification failed: failed to build chain: unable to get local issuer certificate" in caplog.text