[Python-Dev] PEP 427 comment: code signing
Daniel Holth
dholth at gmail.com
Mon Oct 22 22:18:50 CEST 2012
On Mon, Oct 22, 2012 at 4:12 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Mon, 22 Oct 2012 15:49:34 -0400
> Daniel Holth <dholth at gmail.com> wrote:
>> On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>> > On Mon, 22 Oct 2012 15:20:01 -0400
>> > Daniel Holth <dholth at gmail.com> wrote:
>> >>
>> >> The decoded contents are like the JSON documents at
>> >> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions
>> >>
>> >> Signing is implemented at:
>> >> https://bitbucket.org/dholth/wheel/src/tip/wheel/signatures/__init__.py?at=default#cl-25
>> >>
>> >> The SHA-256 hash of RECORD is what is signed together with JWS
>> >> signature header. The JWS spec elaborates on the general format.
>> >
>> > Thank you. Could you fix the terminology in the PEP? You are using the
>> > term "payload" in a different sense from the JWS draft. Specifically,
>> > the PEP should mention that the "JWS Payload" is the binary
>> > contents of the RECORD file.
>> >
>> > What you are calling payload is actually the "JWS Signature".
>> >
>> > Regards
>>
>> Which line is confusing? The payload is the hash of the contents of
>> RECORD as a small JSON document: { "hash":
>> "sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" } instead of
>> including a base64-encoded copy of RECORD in the signature.
>
> Thanks for the explanation. Can you add it to the PEP?
>
> In your JWS header example:
>
> {
> "alg": "Ed25519",
> "typ": "JWT",
> "key": {
> "alg": "Ed25519",
> "vk": "tmAYCrSfj8gtJ10v3VkvW7jOndKmQIYE12hgnFu3cvk"
> }
> }
>
> Why are you using "key" instead of "jwk" for the JSON Web Key?
bug.
More information about the Python-Dev
mailing list