"twine upload" usually fails to upload .asc files

On the most recent Foolscap release, I signed the sdist tarballs as usual, and tried to use twine to upload everything:

% python setup.py sdist --formats=zip,gztar bdist_wheel
% ls dist
foolscap-0.9.1-py2-none-any.whl     foolscap-0.9.1.tar.gz           foolscap-0.9.1.zip
% (gpg sign them all)
% ls dist
foolscap-0.9.1-py2-none-any.whl     foolscap-0.9.1.tar.gz           foolscap-0.9.1.zip
foolscap-0.9.1-py2-none-any.whl.asc foolscap-0.9.1.tar.gz.asc       foolscap-0.9.1.zip.asc
% python setup.py register
% twine upload dist/*

Twine uploaded the tar/zip/whl files, but ignored the .asc signatures, and the resulting pypi page doesn’t show them either.

After some digging, I found that twine/upload.py upload() will only use pre-signed .asc files if the command was run like cd dist; twine upload *. It won’t use them if it was run as cd dist; twine upload ./* or twine upload dist/*. The problem seems to be that the signatures dictionary is indexed by the basename of the signature files, while the lookup key is using the full (original) filename of the tarball/etc with “.asc” appended.

I think it might be simpler and safer to have the code just check for a neighboring .asc file inside the upload loop, something like:

for filename in uploads:
    package = PackageFile.from_filename(filename, comment)
    maybe_sig = package.signed_filename + ".asc"
    if os.path.exists(maybe_sig):
        package.gpg_signature = (os.path.basename(maybe_sig), sigdata)
    ...

I’ll write up a patch for this. I started to look for a way of adding a test, but the code that looks for signatures happens deep enough in upload() that it’d need a oversized mock “Repository” class to exercise the .asc check without actually uploading anything. I’m not sure what the best way to approach the test would be.