So I'm trying to be a good Python project owner for
https://github.com/brettcannon/caniusepython3 so that means wanting to produce a universal wheel. While reading up on exactly what is needed I noticed there is `wheel keygen` which feeds `wheel sign`.
But what exactly is the keygen producing? I'm assuming it's a private/public key but there is nothing about where those keys are stored, if I should keep them when I change machines, etc. And if this is PKI then I would assume I would want to get my public key signed by others in some web-of-trust to make sure that the signing is more than just a content hash. I do have a public/private GPG key from years ago when I tried to do the right thing and got it signed at PyCon, but once again the wheel docs don't say anything about GPG or reusing keys, etc. The wheel docs are so non-committal it makes it feel like that whatever `gpg keygen` produces is really not some performance shortcut and not really something to care about perpetuating the output of.
So am I missing something or is `wheel keygen` just an optimization?