On May 12, 2016, at 07:41 AM, Donald Stufft wrote:
I am aware of a single tool anywhere that actively supports verifying the signatures that people upload to PyPI, and that is Debian's uscan program. Even in that case the people writing the Debian watch file have to hardcode in a signing key into it and in my experience, when faced with a validation error it's not unusual for Debian to simply disable signature checking for that project and/or just blindly update the key to whatever the new key is.
I like that uscan provides this feature, but I don't know how many packages actually use it, either within the Debian Python teams, or in the larger Debian community. I'd like to use it more often on packages I maintain but it's kind of difficult to find your way back to an authoritative signing key. For my own packages that I also maintain in Debian, it's of course trivial, so I have that enabled for them. I sign all my package uploads to PyPI, and I mostly trust myself <wink>.
If it's possible to get signing keys from PyPI, I really have no idea how to do that. The web ui doesn't at all make it obvious (to me, at least).
I understand the implementation dilemma for Warehouse, but rather than ditch this feature, I'd rather see it improve by making the signing keys more discoverable and verifiable. I wonder if keybase.io could be used somehow. Or perhaps a prominent link in the package metadata pointing to a pubkey location. Then it would be up to projects to utilize these mechanisms to make their signing keys obvious, and tools like uscan can increase their usage of such features.