Merge pull request #48 from jwodder/up-740

jwodder · web-flow · commit b32be83751c9 · 2025-09-03T10:43:20.000-04:00
Update for change in PEP 740
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,13 @@
+v1.8.0 (in development)
+-----------------------
+- Provenance support belatedly updated to match a change to PEP 740:
+    - `DistributionPackage.provenance_sha256` is now deprecated and is always
+      `None`
+    - `DistributionPackage.provenance_url` is now determined correctly and is
+      `None` when no provenance file is declared
+    - `PyPISimple.get_provenance()` no longer verifies the provenance's digest,
+      and the `verify` argument is now deprecated
+
 v1.7.0 (2025-07-28)
 -------------------
 - Support Python 3.13
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -3,6 +3,18 @@
 Changelog
 =========
 
+v1.8.0 (in development)
+-----------------------
+- Provenance support belatedly updated to match a change to :pep:`740`:
+
+  - `DistributionPackage.provenance_sha256` is now deprecated and is always
+    `None`
+  - `DistributionPackage.provenance_url` is now determined correctly and is
+    `None` when no provenance file is declared
+  - `PyPISimple.get_provenance()` no longer verifies the provenance's digest,
+    and the ``verify`` argument is now deprecated
+
+
 v1.7.0 (2025-07-28)
 -------------------
 - Support Python 3.13
diff --git a/src/pypi_simple/__init__.py b/src/pypi_simple/__init__.py
@@ -14,7 +14,7 @@
 for more information.
 """
 
-__version__ = "1.7.0"
+__version__ = "1.8.0.dev1"
 __author__ = "John Thorvald Wodder II"
 __author_email__ = "pypi-simple@varonathe.org"
 __license__ = "MIT"
diff --git a/src/pypi_simple/classes.py b/src/pypi_simple/classes.py
@@ -97,13 +97,19 @@ class DistributionPackage:
 
     #: .. versionadded:: 1.6.0
     #:
-    #: The SHA 256 digest of the package file's :pep:`740` ``.provenance``
-    #: file.
+    #: .. deprecated:: 1.8.0
     #:
-    #: If `provenance_sha256` is non-`None`, then the package repository
-    #: provides a ``.provenance`` file for the package.  If it is `None`, no
-    #: conclusions can be drawn.
-    provenance_sha256: Optional[str] = None
+    #: This attribute is deprecated; its value is always `None`.
+    provenance_sha256: None = None
+
+    #: .. versionadded:: 1.6.0
+    #:
+    #: .. versionchanged:: 1.8.0
+    #:
+    #:     ``provenance_url`` can now be `None`
+    #:
+    #: The URL of the package file's :pep:`740` provenance file, if any
+    provenance_url: Optional[str] = None
 
     @property
     def sig_url(self) -> str:
@@ -121,14 +127,6 @@ def metadata_url(self) -> str:
         """
         return url_add_suffix(self.url, ".metadata")
 
-    @property
-    def provenance_url(self) -> str:
-        """
-        The URL of the package file's :pep:`740` ``.provenance`` file, if it
-        exists; cf. `provenance_sha256`
-        """
-        return url_add_suffix(self.url, ".provenance")
-
     @classmethod
     def from_link(
         cls, link: Link, project_hint: Optional[str] = None
@@ -183,7 +181,7 @@ def from_link(
             digests=digests,
             metadata_digests=metadata_digests,
             has_metadata=has_metadata,
-            provenance_sha256=link.get_str_attrib("data-provenance"),
+            provenance_url=link.get_str_attrib("data-provenance"),
         )
 
     @classmethod
@@ -237,7 +235,7 @@ def from_file(
             has_metadata=file.has_metadata,
             size=file.size,
             upload_time=file.upload_time,
-            provenance_sha256=file.provenance,
+            provenance_url=None if file.provenance is None else str(file.provenance),
         )
 
 
diff --git a/src/pypi_simple/client.py b/src/pypi_simple/client.py
@@ -498,56 +498,42 @@ def get_package_metadata(
     def get_provenance(
         self,
         pkg: DistributionPackage,
-        verify: bool = True,
+        verify: bool = True,  # noqa: U100
         timeout: float | tuple[float, float] | None = None,
         headers: Optional[dict[str, str]] = None,
     ) -> dict[str, Any]:
         """
         .. versionadded:: 1.6.0
 
-        Retrieve the :pep:`740` ``.provenance`` file for the given
+        .. versionchanged:: 1.8.0
+
+            The ``verify`` argument is now deprecated and does nothing.
+
+        Retrieve the :pep:`740` provenance file for the given
         `DistributionPackage` and decode it as JSON.
 
-        Not all packages have ``.provenance`` files available for download; cf.
-        `DistributionPackage.provenance_sha256`.  This method will always
-        attempt to download the ``.provenance`` file regardless of the value of
-        `DistributionPackage.provenance_sha256`; if the server replies with a
-        404, a `NoProvenanceError` is raised.
+        Not all packages have provenance files available for download.  If
+        `DistributionPackage.provenance_url` is `None` or if the server replies
+        with a 404, a `NoProvenanceError` is raised.
 
         :param DistributionPackage pkg:
-            the distribution package to retrieve the ``.provenance`` file of
-        :param bool verify:
-            whether to verify the ``.provenance`` file's SHA 256 digest against
-            the retrieved data
+            the distribution package to retrieve the provenance file of
         :param timeout: optional timeout to pass to the ``requests`` call
         :type timeout: float | tuple[float,float] | None
         :param Optional[dict[str, str]] headers:
             Custom headers to provide for the request.
         :rtype: dict[str, Any]
-
         :raises NoProvenanceError:
-            if the repository responds with a 404 error code
+            if ``provenance_url`` is `None` or the repository responds with a
+            404 error code
         :raises requests.HTTPError: if the repository responds with an HTTP
             error code other than 404
-        :raises NoDigestsError:
-            if ``verify`` is true and ``pkg.provenance_sha256`` is `None`
-        :raises DigestMismatchError:
-            if ``verify`` is true and the digest of the downloaded data does
-            not match the expected value
         """
-        digester: AbstractDigestChecker
-        if verify:
-            if pkg.provenance_sha256 is not None:
-                digests = {"sha256": pkg.provenance_sha256}
-            else:
-                digests = {}
-            digester = DigestChecker(digests, pkg.provenance_url)
-        else:
-            digester = NullDigestChecker()
-        r = self.s.get(pkg.provenance_url, timeout=timeout, headers=headers)
+        url = pkg.provenance_url
+        if url is None:
+            raise NoProvenanceError(pkg.filename, None)
+        r = self.s.get(url, timeout=timeout, headers=headers)
         if r.status_code == 404:
-            raise NoProvenanceError(pkg.filename, pkg.provenance_url)
+            raise NoProvenanceError(pkg.filename, url)
         r.raise_for_status()
-        digester.update(r.content)
-        digester.finalize()
         return json.loads(r.content)  # type: ignore[no-any-return]
diff --git a/src/pypi_simple/errors.py b/src/pypi_simple/errors.py
@@ -1,3 +1,6 @@
+from typing import Optional
+
+
 class UnsupportedRepoVersionError(Exception):
     """
     Raised upon encountering a simple repository whose repository version
@@ -149,15 +152,24 @@ class NoProvenanceError(Exception):
     """
     .. versionadded:: 1.6.0
 
-    Raised by `PyPISimple.get_provenance()` when a request for a
-    ``.provenance`` file fails with a 404 error code
+    .. versionchanged:: 1.8.0
+
+        ``url`` can now be `None`
+
+    Raised by `PyPISimple.get_provenance()` when passed a `DistributionPackage`
+    with a `None` ``provenance_url`` or when a request for a provenance file
+    fails with a 404 error code
     """
 
-    def __init__(self, filename: str, url: str) -> None:
+    def __init__(self, filename: str, url: Optional[str]) -> None:
         #: The filename of the package whose provenance was requested
         self.filename = filename
-        #: The URL to which the failed request was made
+        #: The URL to which the failed request was made, or `None` if
+        #: ``provenance_url`` was `None`
         self.url = url
 
     def __str__(self) -> str:
-        return f"No .provenance file found for {self.filename} at {self.url}"
+        if self.url is None:
+            return f"No provenance file declared for {self.filename}"
+        else:
+            return f"No provenance file found for {self.filename} at {self.url}"
diff --git a/src/pypi_simple/pep691.py b/src/pypi_simple/pep691.py
@@ -1,7 +1,7 @@
 from __future__ import annotations
 from datetime import datetime
 from typing import Any, Dict, List, Optional, Union
-from pydantic import BaseModel, Field, StrictBool, field_validator
+from pydantic import BaseModel, Field, HttpUrl, StrictBool, field_validator
 from .enums import ProjectStatus
 
 
@@ -41,7 +41,7 @@ class File(BaseModel, alias_generator=shishkebab, populate_by_name=True):
     yanked: Union[StrictBool, str] = False
     size: Optional[int] = None
     upload_time: Optional[datetime] = None
-    provenance: Optional[str] = None
+    provenance: Optional[HttpUrl] = None
 
     @property
     def is_yanked(self) -> bool:
diff --git a/test/test_client.py b/test/test_client.py
@@ -1,6 +1,5 @@
 from __future__ import annotations
 import filecmp
-import hashlib
 import json
 from pathlib import Path
 from types import TracebackType
@@ -324,19 +323,19 @@ def test_utf8_declarations(content_type: str, body_decl: bytes) -> None:
         method=responses.GET,
         url="https://test.nil/simple/project/",
         body=body_decl
-        + b'<a href="../files/project-0.1.0-p\xC3\xBF42-none-any.whl">project-0.1.0-p\xC3\xBF42-none-any.whl</a>',
+        + b'<a href="../files/project-0.1.0-p\xc3\xbf42-none-any.whl">project-0.1.0-p\xc3\xbf42-none-any.whl</a>',
         content_type=content_type,
     )
     with PyPISimple("https://test.nil/simple/") as simple:
         assert simple.get_project_page("project") == ProjectPage(
             project="project",
             packages=[
                 DistributionPackage(
-                    filename="project-0.1.0-p\xFF42-none-any.whl",
+                    filename="project-0.1.0-p\xff42-none-any.whl",
                     project="project",
                     version="0.1.0",
                     package_type="wheel",
-                    url="https://test.nil/simple/files/project-0.1.0-p\xFF42-none-any.whl",
+                    url="https://test.nil/simple/files/project-0.1.0-p\xff42-none-any.whl",
                     digests={},
                     requires_python=None,
                     has_sig=None,
@@ -371,19 +370,19 @@ def test_latin2_declarations(content_type: str, body_decl: bytes) -> None:
         method=responses.GET,
         url="https://test.nil/simple/project/",
         body=body_decl
-        + b'<a href="../files/project-0.1.0-p\xC3\xBF42-none-any.whl">project-0.1.0-p\xC3\xBF42-none-any.whl</a>',
+        + b'<a href="../files/project-0.1.0-p\xc3\xbf42-none-any.whl">project-0.1.0-p\xc3\xbf42-none-any.whl</a>',
         content_type=content_type,
     )
     with PyPISimple("https://test.nil/simple/") as simple:
         assert simple.get_project_page("project") == ProjectPage(
             project="project",
             packages=[
                 DistributionPackage(
-                    filename="project-0.1.0-p\u0102\u017C42-none-any.whl",
+                    filename="project-0.1.0-p\u0102\u017c42-none-any.whl",
                     project="project",
                     version="0.1.0",
                     package_type="wheel",
-                    url="https://test.nil/simple/files/project-0.1.0-p\u0102\u017C42-none-any.whl",
+                    url="https://test.nil/simple/files/project-0.1.0-p\u0102\u017c42-none-any.whl",
                     digests={},
                     requires_python=None,
                     has_sig=None,
@@ -1017,9 +1016,9 @@ def test_get_provenance() -> None:
             digests={},
             requires_python=None,
             has_sig=None,
-            provenance_sha256=hashlib.sha256(provenance_bytes).hexdigest(),
+            provenance_url="https://test.nil/simple/packages/sampleproject-1.2.3-py3-none-any.whl.provenance",
         )
-        assert simple.get_provenance(pkg, verify=True) == provenance
+        assert simple.get_provenance(pkg) == provenance
 
 
 @responses.activate
@@ -1040,6 +1039,7 @@ def test_get_provenance_404() -> None:
             digests={},
             requires_python=None,
             has_sig=None,
+            provenance_url="https://test.nil/simple/packages/sampleproject-1.2.3-py3-none-any.whl.provenance",
         )
         with pytest.raises(NoProvenanceError) as excinfo:
             simple.get_provenance(pkg, verify=False)
@@ -1050,29 +1050,5 @@ def test_get_provenance_404() -> None:
         )
         assert (
             str(excinfo.value)
-            == "No .provenance file found for sampleproject-1.2.3-py3-none-any.whl at https://test.nil/simple/packages/sampleproject-1.2.3-py3-none-any.whl.provenance"
+            == "No provenance file found for sampleproject-1.2.3-py3-none-any.whl at https://test.nil/simple/packages/sampleproject-1.2.3-py3-none-any.whl.provenance"
         )
-
-
-@responses.activate
-def test_get_provenance_verify_no_digest() -> None:
-    responses.add(
-        method=responses.GET,
-        url="https://test.nil/simple/packages/sampleproject-1.2.3-py3-none-any.whl.provenance",
-        body="Does not exist",
-        status=404,
-    )
-    with PyPISimple("https://test.nil/simple/") as simple:
-        pkg = DistributionPackage(
-            filename="sampleproject-1.2.3-py3-none-any.whl",
-            project="sampleproject",
-            version="1.2.3",
-            package_type="wheel",
-            url="https://test.nil/simple/packages/sampleproject-1.2.3-py3-none-any.whl",
-            digests={},
-            requires_python=None,
-            has_sig=None,
-            provenance_sha256=None,
-        )
-        with pytest.raises(NoDigestsError):
-            simple.get_provenance(pkg, verify=True)
diff --git a/test/test_distrib_pkg.py b/test/test_distrib_pkg.py
@@ -96,7 +96,7 @@ def test_get_sig_url(has_sig: bool) -> None:
                     "data-gpg-sig": "true",
                     "data-core-metadata": "sha256=ae718719df4708f329d58ca4d5390c1206c4222ef7e62a3aa9844397c63de28b",
                     "data-yanked": "Oopsy.",
-                    "data-provenance": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                    "data-provenance": "https://example.com/pypi-provenance/qypi-0.1.0-py3-none-any.whl.provenance",
                 },
             ),
             DistributionPackage(
@@ -116,7 +116,7 @@ def test_get_sig_url(has_sig: bool) -> None:
                     "sha256": "ae718719df4708f329d58ca4d5390c1206c4222ef7e62a3aa9844397c63de28b"
                 },
                 has_metadata=True,
-                provenance_sha256="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                provenance_url="https://example.com/pypi-provenance/qypi-0.1.0-py3-none-any.whl.provenance",
             ),
         ),
         (
@@ -199,27 +199,6 @@ def test_pep658_no_digests() -> None:
     )
 
 
-def test_provenance_url() -> None:
-    pkg = DistributionPackage(
-        filename="qypi-0.1.0-py3-none-any.whl",
-        url="https://files.pythonhosted.org/packages/82/fc/9e25534641d7f63be93079bc07fa92bab136ddf5d4181059a1308a346f96/qypi-0.1.0-py3-none-any.whl",
-        digests={
-            "sha256": "da69d28dcd527c0e372b3fa7b92fc333b327f8470175f035abc4e351b539189f"
-        },
-        has_sig=True,
-        requires_python="~= 3.6",
-        project="qypi",
-        version="0.1.0",
-        package_type="wheel",
-        is_yanked=False,
-        yanked_reason=None,
-    )
-    assert (
-        pkg.provenance_url
-        == "https://files.pythonhosted.org/packages/82/fc/9e25534641d7f63be93079bc07fa92bab136ddf5d4181059a1308a346f96/qypi-0.1.0-py3-none-any.whl.provenance"
-    )
-
-
 def test_from_json_data_no_metadata() -> None:
     pkg = DistributionPackage.from_json_data(
         {
@@ -276,10 +255,10 @@ def test_from_json_data_provenance() -> None:
             "requires-python": "~=3.6",
             "url": "https://files.pythonhosted.org/packages/b5/2b/7aa284f345e37f955d86e4cd57b1039b573552b0fc29d1a522ec05c1ee41/argset-0.1.0-py3-none-any.whl",
             "yanked": False,
-            "provenance": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+            "provenance": "https://example.com/pypi-provenance/argset-0.1.0-py3-none-any.whl.provenance",
         }
     )
     assert (
-        pkg.provenance_sha256
-        == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+        pkg.provenance_url
+        == "https://example.com/pypi-provenance/argset-0.1.0-py3-none-any.whl.provenance"
     )
