[Python-Dev] PEP 427 comment: code signing
Daniel Holth
dholth at gmail.com
Mon Oct 22 21:49:34 CEST 2012
On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Mon, 22 Oct 2012 15:20:01 -0400
> Daniel Holth <dholth at gmail.com> wrote:
>>
>> The decoded contents are like the JSON documents at
>> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions
>>
>> Signing is implemented at:
>> https://bitbucket.org/dholth/wheel/src/tip/wheel/signatures/__init__.py?at=default#cl-25
>>
>> The SHA-256 hash of RECORD is what is signed together with JWS
>> signature header. The JWS spec elaborates on the general format.
>
> Thank you. Could you fix the terminology in the PEP? You are using the
> term "payload" in a different sense from the JWS draft. Specifically,
> the PEP should mention that the "JWS Payload" is the binary
> contents of the RECORD file.
>
> What you are calling payload is actually the "JWS Signature".
>
> Regards
Which line is confusing? The payload is the hash of the contents of
RECORD as a small JSON document: { "hash":
"sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" } instead of
including a base64-encoded copy of RECORD in the signature.
More information about the Python-Dev
mailing list