_cli: exit with an error code when verification fails (#57)

woodruffw · web-flow · commit f45bee359556 · 2024-10-07T11:44:48.000-04:00
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -13,6 +13,7 @@ jobs:
         python:
           - "3.11"
           - "3.12"
+          - "3.13"
     runs-on: ubuntu-latest
     permissions:
       id-token: write  # unit tests use the ambient OIDC credential
@@ -24,6 +25,7 @@ jobs:
           python-version: ${{ matrix.python }}
           cache: "pip"
           cache-dependency-path: pyproject.toml
+          allow-prereleases: true
 
       - name: test
         run: make test INSTALL_EXTRA=test
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- `python -m pypi_attestations verify` now exits with a non-zero exit code
+  if the verification step fails
+  ([#57](https://github.com/trailofbits/pypi-attestations/pull/57))
+
 ## [0.0.12]
 
 ### Fixed
diff --git a/src/pypi_attestations/_cli.py b/src/pypi_attestations/_cli.py
@@ -279,8 +279,7 @@ def _verify(args: argparse.Namespace) -> None:
         try:
             attestation.verify(verifier, pol, dist)
         except VerificationError as verification_error:
-            _logger.error("Verification failed for %s: %s", file_path, verification_error)
-            continue
+            _die(f"Verification failed for {file_path}: {verification_error}")
 
         _logger.info(f"OK: {attestation_path}")
 
diff --git a/test/test_cli.py b/test/test_cli.py
@@ -191,15 +191,16 @@ def test_verify_command(caplog: pytest.LogCaptureFixture, monkeypatch: pytest.Mo
 
     caplog.clear()
 
-    # Failure from the Sigstore environment
-    run_main_with_command(
-        [
-            "verify",
-            "--identity",
-            "william@yossarian.net",
-            artifact_path.as_posix(),
-        ]
-    )
+    with pytest.raises(SystemExit):
+        # Failure from the Sigstore environment
+        run_main_with_command(
+            [
+                "verify",
+                "--identity",
+                "william@yossarian.net",
+                artifact_path.as_posix(),
+            ]
+        )
     assert (
         "Verification failed: failed to build chain: unable to get local issuer certificate"
         in caplog.text
