At 12:10 PM 8/11/2005 -0500, Ian Bicking wrote:
I imagine at some time in the future easy_install will also read and confirm signatures, and may have things like GUI frontends. But I think that's a ways off, and some things require a larger discussion (like signatures).
It's certainly possible for people to sign eggs now with the setuptools 'upload' command (the --sign option invokes GPG), it's just that easy_install doesn't do any signature verification yet. I have no real idea as to how that should work with respect to setting up policies or trust chains or any of that stuff. Also, I'm not sure as yet how to retrieve signature info from PyPI, because I've never used it. However, if somebody wants to sign their eggs and send them to PyPI using "upload --sign", and can then also suggest what should be done to verify the signatures (preferably including what GPG commands to run to do the verification!), then I'll certainly take a look at it. Ideally, if this were done right it would work for source distributions and bdist_wininst installers as well as eggs, as long as EasyInstall can find the associated signature.