[Python-Dev] PEP 427 comment: code signing
Antoine Pitrou
solipsis at pitrou.net
Mon Oct 22 22:12:25 CEST 2012
On Mon, 22 Oct 2012 15:49:34 -0400
Daniel Holth <dholth at gmail.com> wrote:
> On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> > On Mon, 22 Oct 2012 15:20:01 -0400
> > Daniel Holth <dholth at gmail.com> wrote:
> >>
> >> The decoded contents are like the JSON documents at
> >> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions
> >>
> >> Signing is implemented at:
> >> https://bitbucket.org/dholth/wheel/src/tip/wheel/signatures/__init__.py?at=default#cl-25
> >>
> >> The SHA-256 hash of RECORD is what is signed together with JWS
> >> signature header. The JWS spec elaborates on the general format.
> >
> > Thank you. Could you fix the terminology in the PEP? You are using the
> > term "payload" in a different sense from the JWS draft. Specifically,
> > the PEP should mention that the "JWS Payload" is the binary
> > contents of the RECORD file.
> >
> > What you are calling payload is actually the "JWS Signature".
> >
> > Regards
>
> Which line is confusing? The payload is the hash of the contents of
> RECORD as a small JSON document: { "hash":
> "sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" } instead of
> including a base64-encoded copy of RECORD in the signature.
Thanks for the explanation. Can you add it to the PEP?
In your JWS header example:
{
"alg": "Ed25519",
"typ": "JWT",
"key": {
"alg": "Ed25519",
"vk": "tmAYCrSfj8gtJ10v3VkvW7jOndKmQIYE12hgnFu3cvk"
}
}
Why are you using "key" instead of "jwk" for the JSON Web Key?
Regards
Antoine.
More information about the Python-Dev
mailing list