[Catalog-sig] [Draft] Package signing and verification process
M.-A. Lemburg
mal at egenix.com
Thu Feb 7 11:59:59 CET 2013
Sorry, if this has already been mentioned, but we could make GPG
signing very user friendly for the PyPI users by:
- having the PyPI server verify the uploaded file against the
registered GPG key of the uploader
- have the PyPI server sign the uploaded file using its own
key (so you have two .asc signature files per upload - one coming
directly from the uploader and another one from the PyPI server)
- have package managers verify the downloaded file against the
signature applied by PyPI
Package managers would only have to know the PyPI public key
for this to work.
Users who want to apply an extra check, could also verify
the uploader's .asc signature file, but this would require
downloading and installing the uploader's GPG key; in return
for the extra work, they'd get two way verification, though.
The concept is based on trust: PyPI trusts the uploader provided
that s/he is using the registered GPG key. Package managers (and
users) trust PyPI.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 07 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list