[Catalog-sig] getting the public key when --sign is used
Daniel Holth
dholth at gmail.com
Mon Nov 19 19:43:47 CET 2012
If pypi would also sign the public key, and possibly the metadata for a
particular release, that feature could be pretty cool.
On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <tarek at ziade.org> wrote:
> Hey
>
>
> I am currently writing a small script to verify that the gpg signature is
> correct when the --sign option
> is used with the Distutils upload command, and I was wondering why we
> don't publish the public key
> alongside the .asc file.
>
> Right now, unless I missed something, to verify a signature the user has
> to manually get the public key before she
> can control the tarball.
>
> Wouldn't it make sense to modify the upload command and add a .pubkey file
> alongside the archive file
> and the .asc file on PyPI ? (since we don't have a notion of team/users
> etc.)
>
> Cheers
> Tarek
> ______________________________**_________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/**mailman/listinfo/catalog-sig<http://mail.python.org/mailman/listinfo/catalog-sig>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/26a8a763/attachment.html>
More information about the Catalog-SIG
mailing list