Gpg python installer
Ned Deily
nad at acm.org
Thu Apr 2 03:13:22 EDT 2015
In article
<CAK9B2qgbiGkUAH3w2YMRuogOCQDq132QBXRbQWcP5o1jAxtNyA at mail.gmail.com>,
leonardo davinci <leodavinci111 at gmail.com> wrote:
> I am using Kleopatra(gpg for win) to verify the 3.4.3 python installer,
> Windows x86 MSI
>
> ><https:// <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>
> www.python.org <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>
> /ftp/python/3.4.3/
> <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>python-3.4.3.msi
> <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>>. This file does
> not have a email in the digital signature and I am having trouble verifying
> the validity of the download.
Unfortunately, verifying the PGP signature of release files isn't the
most user-friendly process, especially on Windows. The release files
from python.org are typically PGP-signed in armored detached signature
files, in other words, for each release file (like python-3.4.3.msi)
there is a separate signature file with an appended .asc extension
(python-3.4.3.msi.asc). If you go to the python.org downloads page
(https://www.python.org/downloads/) and click on the release in
question, it should take you to the page for the release
(https://www.python.org/downloads/release/python-343/). Near the bottom
of the page, there is a list of downloadable files and to the right of
each one there is a "GPG" column with a "SIG" link for each file.
Clicking on the SIG link should download the corresponding signature
file (python-3.4.3.msi.asc). I'm not familiar with Kleopatra's
interface but normally you'd want to download both the installer file
and its asc file to the same directory/folder and then tell the GPG
program to verify the asc file. The PGP/GPG program will also need to
have access to the public keys of the creators / signers of the
downloadable files. You will find them listed near the bottom of the
Downloads page (https://www.python.org/downloads/).
Independently thereof, the python.org Windows installer files are also
signed with a public-key code signing certificate that should be
automatically verified by the Windows installer program. (Likewise, for
the Mac OS X installer files.)
Hope this helps!
--
Ned Deily,
nad at acm.org
More information about the Python-list
mailing list