[Python-Dev] PEP 427 comment: code signing
Antoine Pitrou
solipsis at pitrou.net
Mon Oct 22 21:37:00 CEST 2012
On Mon, 22 Oct 2012 15:20:01 -0400
Daniel Holth <dholth at gmail.com> wrote:
>
> The decoded contents are like the JSON documents at
> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions
>
> Signing is implemented at:
> https://bitbucket.org/dholth/wheel/src/tip/wheel/signatures/__init__.py?at=default#cl-25
>
> The SHA-256 hash of RECORD is what is signed together with JWS
> signature header. The JWS spec elaborates on the general format.
Thank you. Could you fix the terminology in the PEP? You are using the
term "payload" in a different sense from the JWS draft. Specifically,
the PEP should mention that the "JWS Payload" is the binary
contents of the RECORD file.
What you are calling payload is actually the "JWS Signature".
Regards
Antoine.
More information about the Python-Dev
mailing list