[Catalog-sig] getting the public key when --sign is used
Tarek Ziadé
tarek at ziade.org
Mon Nov 19 19:45:51 CET 2012
On 11/19/12 7:43 PM, Daniel Holth wrote:
> If pypi would also sign the public key, and possibly the metadata for
> a particular release, that feature could be pretty cool.
why pip ?
>
>
> On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <tarek at ziade.org
> <mailto:tarek at ziade.org>> wrote:
>
> Hey
>
>
> I am currently writing a small script to verify that the gpg
> signature is correct when the --sign option
> is used with the Distutils upload command, and I was wondering why
> we don't publish the public key
> alongside the .asc file.
>
> Right now, unless I missed something, to verify a signature the
> user has to manually get the public key before she
> can control the tarball.
>
> Wouldn't it make sense to modify the upload command and add a
> .pubkey file alongside the archive file
> and the .asc file on PyPI ? (since we don't have a notion of
> team/users etc.)
>
> Cheers
> Tarek
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org <mailto:Catalog-SIG at python.org>
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/7c602d0e/attachment.html>
More information about the Catalog-SIG
mailing list