2009/7/10 Stefan Behnel :

Tim Lesher wrote:

...

In all the current discussion on python-dev about improving eggs and setuptools in general, I don't think I've seen anything regarding digitally signed eggs or verifiable egg distribution.  Google doesn't seem to turn anything up, either.

Has anyone put any thought into this?

Well, you can sign all stuff that you upload to PyPI. It usually doesn't get verified on installation, though.

And you could write a PEP 302 installer to load & verify signed eggs. Nothing new here, other than no-one has wanted to do it so far. BTW, eggs and setuptools are a 3rd party package - there's nothing about them in core Python. The discussions on python-dev are about enhancing *distutils* - ironically, in a way that possibly reduces the need for setuptools - and not about setptools. Setuptools isn't appropriate for python-dev (the distutils SIG mailing list hosts discussions about setuptools if you want to raise the subject there). Paul.

2009/7/10 Tim Lesher :

...

And you could write a PEP 302 installer to load & verify signed eggs. Nothing new here, other than no-one has wanted to do it so far.

Right--that's part of what I'm going to be doing for a current work project.

The rest is "where to store the signature" and "what inputs should feed the signature calculation" and "how to verify the egg *without* trying to import it".

If there were any past efforts (even failed ones) to do so, I was curious to learn from those experiences.  Sounds like it's a green field, though.

...

BTW, eggs and setuptools are a 3rd party package - there's nothing about them in core Python.

Correct--I misspoke. While eggs are probably the implementation technique I'll be looking at, I was interested in any other attempts in the past.

I've not done anything like this, so I can't help much. But one thing that might be worth considering, if you don't mind a new format, would be a SQLite database for holding the modules. Advantages over zip files (which is what eggs use) are that you can add extra table columns, for things like signatures, and that it's read-write, so you could generate .pyc "files" on the fly rather than relying on pregeneration like eggs do. The big disadvantage is that you'd be inventing a new format (although you could write a utility to extract the files from an egg and load them into a sqlite file, so you'd be able to reuse existing eggs to some extent. Paul.