[Catalog-sig] getting the public key when --sign is used
dholth at gmail.com
Mon Nov 19 19:43:47 CET 2012
If pypi would also sign the public key, and possibly the metadata for a
particular release, that feature could be pretty cool.
On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <tarek at ziade.org> wrote:
> I am currently writing a small script to verify that the gpg signature is
> correct when the --sign option
> is used with the Distutils upload command, and I was wondering why we
> don't publish the public key
> alongside the .asc file.
> Right now, unless I missed something, to verify a signature the user has
> to manually get the public key before she
> can control the tarball.
> Wouldn't it make sense to modify the upload command and add a .pubkey file
> alongside the archive file
> and the .asc file on PyPI ? (since we don't have a notion of team/users
> Catalog-SIG mailing list
> Catalog-SIG at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG