Document package publishing with 2FA + API keys

This project has been marked as "critical" on the Python Package Index, which has some implications on the way new versions should be published.
author: Sybren A. Stüvel <sybren@stuvel.eu> 2022-07-15 08:41:53 +0200
committer: Sybren A. Stüvel <sybren@stuvel.eu> 2022-07-15 08:41:53 +0200
commit: f6086af9082396f0c9d1326b481fd96fc4bf883d (patch)
tree: 0ac8ddf9c341c9c366a7b5dc83ea64247ae8237e
parent: 76c0e6901cde36743fd6cbb5251a91bfb3a3352d (diff)
download: rsa-git-f6086af9082396f0c9d1326b481fd96fc4bf883d.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/README.md b/README.md
index 02761da..542926f 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,18 @@ poetry install
 
 ## Publishing a New Release
 
+Since this project is considered critical on the Python Package Index,
+two-factor authentication is required. For uploading packages to PyPi, an API
+key is required; username+password will not work.
+
+First, generate an API token at https://pypi.org/manage/account/token/. Then,
+use this token when publishing instead of your username and password.
+
+As username, use `__token__`.
+As password, use the token itself, including the `pypi-` prefix.
+
+See https://pypi.org/help/#apitoken for help using API tokens to publish.
+
 ```
 . ./.venv/bin/activate
 poetry publish --build
author	Sybren A. Stüvel <sybren@stuvel.eu>	2022-07-15 08:41:53 +0200
committer	Sybren A. Stüvel <sybren@stuvel.eu>	2022-07-15 08:41:53 +0200
commit	f6086af9082396f0c9d1326b481fd96fc4bf883d (patch)
tree	0ac8ddf9c341c9c366a7b5dc83ea64247ae8237e
parent	76c0e6901cde36743fd6cbb5251a91bfb3a3352d (diff)
download	rsa-git-f6086af9082396f0c9d1326b481fd96fc4bf883d.tar.gz