[Catalog-sig] getting the public key when --sign is used
Tarek Ziadé
tarek at ziade.org
Mon Nov 19 19:37:11 CET 2012
Hey
I am currently writing a small script to verify that the gpg signature
is correct when the --sign option
is used with the Distutils upload command, and I was wondering why we
don't publish the public key
alongside the .asc file.
Right now, unless I missed something, to verify a signature the user has
to manually get the public key before she
can control the tarball.
Wouldn't it make sense to modify the upload command and add a .pubkey
file alongside the archive file
and the .asc file on PyPI ? (since we don't have a notion of team/users
etc.)
Cheers
Tarek
More information about the Catalog-SIG
mailing list