[Catalog-sig] getting the public key when --sign is used
"Martin v. Löwis"
martin at v.loewis.de
Tue Nov 20 13:49:57 CET 2012
Am 19.11.12 19:37, schrieb Tarek Ziadé:
> Wouldn't it make sense to modify the upload command and add a .pubkey
> file alongside the archive file
> and the .asc file on PyPI ? (since we don't have a notion of team/users
> etc.)
Each user is supposed to provide his PGP key ID. For those that did, we
could fetch them from the key server. OTOH, users can also fetch them
themselves.
In PGP, keys should really be on the key servers, rather than having
distributed copies, since they get updated (e.g. when counter-signed
or revoked).
Regards,
Martin
More information about the Catalog-SIG
mailing list