Signing extensions
Roger Binns
rogerb at rogerbinns.com
Fri Sep 25 23:23:13 EDT 2009
I would like to digitally sign the open source Python extensions I produce.
I produce source code (zip file) as well as pre-built binaries for Windows
(all Python versions from 2.3 to 3.1).
I can sign the source using my PGP key no problem. I could also sign the
Windows binaries that way but Windows users are unlikely to have PGP and the
Google code downloads page would look even worse having another 8 or 9 .asc
files.
The Windows Python distribution is signed by PGP and the normal Microsoft
way using a Verisign class 3 cert. (If you read their issuer statement it
ultimately says the cert isn't worth the bits it is printed on :-) One of
those certs is $500 per year which is out of the question for me.
Does anyone have any other suggestions? Has the PSF considered running a
certificate authority for extension developers, and other Python developers
for that matter?
Roger
More information about the Python-list
mailing list