[Catalog-sig] PEP 243 - Module Repository Upload Mechanism
Thomas Heller
thomas.heller@ion-tof.com
31 Oct 2002 11:24:24 +0100
I've been playing with a PEP 243 implementation recently.
To remind you, this is Sean Reifschneider's Module Repository Upload
Mechanism PEP: http://www.python.org/peps/pep-0243.html .
With some inspiration from his Swalow code, and some help from
himself, I've played with a CGI script implenting this.
Different from the PEP, I've not used his X-Swalow-XXX headers to
return results to the uploader, instead the cgi-script returns a HTML
page (if submitted from a web-browser), or plain text (if called
programmatically).
Additionally to the swalow code, this script accepts an OpenPGP
compatible signature for the uploaded file, which I create with GnuPG.
I've patched distutils to accept --submit and --sign options for the
bdist_wininst and sdist commands, which will shell out to GnuPG to
create a signature for the created distribution, and then upload the
distribution to the server.
The cgi script itself verifies the signature again a keyring on the
server, and, if successful, moves the uploaded file to the public area.
Here's the transcript of a sample session:
C:\pypan>python setup.py sdist --submit --sign
running sdist
reading manifest file 'MANIFEST'
creating pypan-0.2
creating pypan-0.2\PyPan
copying files to pypan-0.2...
copying README -> pypan-0.2
copying make_packagelist.py -> pypan-0.2
copying pypan.py -> pypan-0.2
copying setup.py -> pypan-0.2
copying PyPan\__init__.py -> pypan-0.2\PyPan
copying PyPan\avail.py -> pypan-0.2\PyPan
copying PyPan\install.py -> pypan-0.2\PyPan
copying PyPan\installed.py -> pypan-0.2\PyPan
copying PyPan\tarfile.py -> pypan-0.2\PyPan
C:\Xilinx_ISE\bin\nt\zip.exe -rq dist\pypan-0.2.zip pypan-0.2
removing 'pypan-0.2' (and everything under it)
You need a passphrase to unlock the secret key for
user: "Thomas Heller <theller@python.net>"
1024-bit DSA key, ID B4985CBA, created 2002-10-24
File `dist\pypan-0.2.zip.asc' exists. Overwrite (y/N)? y
created dist\pypan-0.2.zip.asc
submitting dist\pypan-0.2.zip
########
uploader: saving as ./uploads/pypan-0.2.zip
uploader: signature found
uploader: Signature saved as ./uploads/pypan-0.2.zip.asc
uploader: run 'gpg --batch --verify ./uploads/pypan-0.2.zip.asc ./uploads/pypan-0.2.zip 2>&1'
gpg: Warning: using insecure memory!
gpg: Signature made Thu Oct 31 04:48:23 2002 EST using DSA key ID B4985CBA
gpg: Good signature from "Thomas Heller <theller@python.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: DB49 621F C353 2ACF 4954 1DF3 5818 2B59 B498 5CBA
uploader: seems to be a source archive file
uploader: parsed ok
uploader: final destination ./packages/uploaded/pypan-0.2.zip
uploader: final destination ./packages/uploaded/pypan-0.2.zip.asc
unknown filetype uploaded/pypan-0.2.zip.asc
unknown filetype uploaded/pypan-0.2.win32.exe.asc
unknown filetype packages.xml
uploader: now 13 packages
The lines following the '#######' is the text returned by the CGI script.
There is a security concern which has to be addressed, I'm aware of
that: when creating the signature you have to supply your passphrase
to the running distutils sdist or bdist_wininst command. I don't think
I like this.
Comments?
Thomas