[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Mon Nov 19 19:37:11 CET 2012


I am currently writing a small script to verify that the gpg signature 
is correct when the --sign option
is used with the Distutils upload command, and I was wondering why we 
don't publish the public key
alongside the .asc file.

Right now, unless I missed something, to verify a signature the user has 
to manually get the public key before she
can control the tarball.

Wouldn't it make sense to modify the upload command and add a .pubkey 
file alongside the archive file
and the .asc file on PyPI ?  (since we don't have a notion of team/users 


More information about the Catalog-SIG mailing list