[Catalog-sig] Replication and security
Jesus Cea
jcea at jcea.es
Mon Jan 5 18:56:36 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin v. Löwis wrote:
>> I have code in python to digitally sign/verify signatures using ElGamal
>> algorithm. Any interest?
>
> I rather prefer standard PGP signatures (with whatever signature
> algorithm the server key uses).
Me too, but then you requires an OpenPGP implementation in Python or a
pgp/gpg program around, correctly configured, with the PYPI public key
installed, etc.
Instead, ElGamal signatures are verified in 12 lines of 100% python code.
I am talking about checking that a package actually comes from PyPI, not
the PGP author signature. This is important if anybody can deploy a
mirror... At least "easy_install" can automatically verify that the
downloaded package, from a mirror, was originated in the main PYPI
server and it was not modified in any way.
- --
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/
. _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBSWJJ0Jlgi5GaxT1NAQKKMAP/QZGMLzVq1bBv3BU8HLTtMdygfH4CsH29
dYCxEcgbx7FmrfrdyN9cnAg9xnWR4S0u6ObnfhxVrx0+UyXivtdtTqDxh13TNJay
6U93QbILsrtr2Ey+yFDHg9VwmqNb9LMX/UUvBt2uyd1BEHbiKacPrqshTCyvhdHY
aMW8rspseK4=
=6/Hp
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list