upload: warn the user if their signature(s) are ignored

tests/test_upload.py

@@ -162,7 +162,7 @@ def test_print_response_if_verbose(upload_settings, stub_response, caplog):
     assert caplog.messages.count(response_log) == 2
 
 
-def test_success_with_pre_signed_distribution(upload_settings, stub_repository):
+def test_success_with_pre_signed_distribution(upload_settings, stub_repository, caplog):
     """Add GPG signature provided by user to uploaded package."""
     # Upload a pre-signed distribution
     result = upload.upload(
@@ -177,6 +177,12 @@ def test_success_with_pre_signed_distribution(upload_settings, stub_repository):
         b"signature",
     )
 
+    # Ensure that a warning is emitted.
+    assert (
+        "One or more packages has an associated PGP signature; these will "
+        "be silently ignored by the index" in caplog.messages
+    )
+
 
 def test_exception_with_only_pre_signed_file(upload_settings, stub_repository):
     """Raise an exception when only a signed file is uploaded."""

twine/commands/upload.py

@@ -124,6 +124,19 @@ def upload(upload_settings: settings.Settings, dists: List[str]) -> None:
         _make_package(filename, signatures, upload_settings) for filename in uploads
     ]
 
+    # Warn the user if they're trying to upload a PGP signature to PyPI
+    # or TestPyPI, which will (as of May 2023) ignore it.
+    # This check is currently limited to just those indices, since other
+    # indices may still support PGP signatures.
+    if (
+        any(p.gpg_signature for p in packages_to_upload)
+        and "pypi.org" in repository_url
+    ):
+        logger.warning(
+            "One or more packages has an associated PGP signature; "
+            "these will be silently ignored by the index"
+        )
+
     repository = upload_settings.create_repository()
     uploaded_packages = []