[Catalog-sig] Mirror authenticity
"Martin v. Löwis"
martin at v.loewis.de
Sat Mar 28 19:22:04 CET 2009
> I suspect python-crypto is too low-level; OpenSSL uses PEM-encoding
> and supports S/MIME signatures, but pycrypto doesn't implement PEM at
> all. It might be better to rely on having the 'openssl' executable
> available and figuring out the right switches to generate a signature.
Unfortunately, using the openssl command line isn't good enough.
It doesn't support DSA signing or verifying (the PyPI client would
need verification, not signing).
On the server, I have now M2Crypto working.
One option would have been to use gpg signing, however that would
break on systems that don't normally have a gpg binary available
(similar to relying on the openssl binary)
> (BTW, I'm not maintaining python-crypto any longer; Dwayne
> Litzenberger has taken it over and has a new site at www.pycrypto.org.
> I don't know what his plans are for a new release.)
I really only need the algorithm that does the signature verification.
I'll do the PEM support myself; I find DER not too difficult.
More information about the Catalog-SIG