On 2017-10-31 00:20:34 +1000 (+1000), Nick Coghlan wrote: [...]
For folks that do want signatures on their build server -> deployment system connections (which is the problem this features aims to help with), they're currently more likely to use external GPG signatures (the way Linux distros and some container registries do) or a system like Notary/TUF (the way the Docker registry does), than they are a Python-specific format. [...]
Agreed. For the hundreds of projects we publish on PyPI we have our release automation generate detached OpenPGP signatures of sdsits and wheels, and serve those signatures from our own release info site since PyPI also seems to not want to support arbitrary signature uploads over the long term. This satisfies the requests we get from distribution package maintainers to provide proof of provenance for our release artifacts; our release managers and community infrastructure sysadmins sign the per-cycle release automation keys, and regularly participate in key signing with distro package maintainers in-person at conferences to establish a sufficient web of trust. I understand this is probably untenable for smaller projects, but at our scale it works fairly well (also easier to generalize beyond merely Python-based software). I'll be honest, when designing our artifact signing automation I didn't even know the wheel spec suggested it should be a feature, but without having consistent integration in other tooling for signed sdists too it wouldn't have been much help to us anyway. -- Jeremy Stanley