[Catalog-sig] getting the public key when --sign is used
M.-A. Lemburg
mal at egenix.com
Mon Nov 19 19:55:08 CET 2012
On 19.11.2012 19:37, Tarek Ziadé wrote:
> Hey
>
>
> I am currently writing a small script to verify that the gpg signature is correct when the --sign
> option
> is used with the Distutils upload command, and I was wondering why we don't publish the public key
> alongside the .asc file.
>
> Right now, unless I missed something, to verify a signature the user has to manually get the public
> key before she
> can control the tarball.
>
> Wouldn't it make sense to modify the upload command and add a .pubkey file alongside the archive file
> and the .asc file on PyPI ? (since we don't have a notion of team/users etc.)
Doesn't that cause problems when revoking a public key ?
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Nov 19 2012)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list