[Catalog-sig] getting the public key when --sign is used

Daniel Holth dholth at gmail.com
Mon Nov 19 19:43:47 CET 2012

If pypi would also sign the public key, and possibly the metadata for a
particular release, that feature could be pretty cool.

On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <tarek at ziade.org> wrote:

> Hey
> I am currently writing a small script to verify that the gpg signature is
> correct when the --sign option
> is used with the Distutils upload command, and I was wondering why we
> don't publish the public key
> alongside the .asc file.
> Right now, unless I missed something, to verify a signature the user has
> to manually get the public key before she
> can control the tarball.
> Wouldn't it make sense to modify the upload command and add a .pubkey file
> alongside the archive file
> and the .asc file on PyPI ?  (since we don't have a notion of team/users
> etc.)
> Cheers
> Tarek
> ______________________________**_________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/**mailman/listinfo/catalog-sig<http://mail.python.org/mailman/listinfo/catalog-sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/26a8a763/attachment.html>

More information about the Catalog-SIG mailing list