[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Mon Nov 19 19:45:51 CET 2012

On 11/19/12 7:43 PM, Daniel Holth wrote:
> If pypi would also sign the public key, and possibly the metadata for 
> a particular release, that feature could be pretty cool.

why pip ?

> On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <tarek at ziade.org 
> <mailto:tarek at ziade.org>> wrote:
>     Hey
>     I am currently writing a small script to verify that the gpg
>     signature is correct when the --sign option
>     is used with the Distutils upload command, and I was wondering why
>     we don't publish the public key
>     alongside the .asc file.
>     Right now, unless I missed something, to verify a signature the
>     user has to manually get the public key before she
>     can control the tarball.
>     Wouldn't it make sense to modify the upload command and add a
>     .pubkey file alongside the archive file
>     and the .asc file on PyPI ?  (since we don't have a notion of
>     team/users etc.)
>     Cheers
>     Tarek
>     _______________________________________________
>     Catalog-SIG mailing list
>     Catalog-SIG at python.org <mailto:Catalog-SIG at python.org>
>     http://mail.python.org/mailman/listinfo/catalog-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/7c602d0e/attachment.html>

More information about the Catalog-SIG mailing list