[Catalog-sig] Mirror authenticity

"Martin v. Löwis" martin at v.loewis.de
Sat Mar 28 19:22:04 CET 2009

> I suspect python-crypto is too low-level; OpenSSL uses PEM-encoding
> and supports S/MIME signatures, but pycrypto doesn't implement PEM at
> all.  It might be better to rely on having the 'openssl' executable
> available and figuring out the right switches to generate a signature.

Unfortunately, using the openssl command line isn't good enough.
It doesn't support DSA signing or verifying (the PyPI client would
need verification, not signing).

On the server, I have now M2Crypto working.

One option would have been to use gpg signing, however that would
break on systems that don't normally have a gpg binary available
(similar to relying on the openssl binary)

> (BTW, I'm not maintaining python-crypto any longer; Dwayne
> Litzenberger has taken it over and has a new site at www.pycrypto.org.
> I don't know what his plans are for a new release.)

I really only need the algorithm that does the signature verification.
I'll do the PEM support myself; I find DER not too difficult.


More information about the Catalog-SIG mailing list