[Distutils] PyPI and GPG Signatures

[Barry Warsaw]

On May 12, 2016, at 07:41 AM, Donald Stufft wrote:

>I am aware of a single tool anywhere that actively supports verifying the
>signatures that people upload to PyPI, and that is Debian's uscan
>program. Even in that case the people writing the Debian watch file have to
>hardcode in a signing key into it and in my experience, when faced with a
>validation error it's not unusual for Debian to simply disable signature
>checking for that project and/or just blindly update the key to whatever the
>new key is.

I like that uscan provides this feature, but I don't know how many packages
actually use it, either within the Debian Python teams, or in the larger
Debian community.  I'd like to use it more often on packages I maintain but
it's kind of difficult to find your way back to an authoritative signing key.
For my own packages that I also maintain in Debian, it's of course trivial, so
I have that enabled for them.  I sign all my package uploads to PyPI, and I
mostly trust myself <wink>.

If it's possible to get signing keys from PyPI, I really have no idea how to
do that.  The web ui doesn't at all make it obvious (to me, at least).

I understand the implementation dilemma for Warehouse, but rather than ditch
this feature, I'd rather see it improve by making the signing keys more
discoverable and verifiable.  I wonder if keybase.io could be used somehow.
Or perhaps a prominent link in the package metadata pointing to a pubkey
location.  Then it would be up to projects to utilize these mechanisms to make
their signing keys obvious, and tools like uscan can increase their usage of
such features.

Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160512/e9f62e01/attachment.sig>