[Catalog-sig] getting the public key when --sign is used

M.-A. Lemburg mal at egenix.com
Mon Nov 19 19:55:08 CET 2012

On 19.11.2012 19:37, Tarek Ziadé wrote:
> Hey
> I am currently writing a small script to verify that the gpg signature is correct when the --sign
> option
> is used with the Distutils upload command, and I was wondering why we don't publish the public key
> alongside the .asc file.
> Right now, unless I missed something, to verify a signature the user has to manually get the public
> key before she
> can control the tarball.
> Wouldn't it make sense to modify the upload command and add a .pubkey file alongside the archive file
> and the .asc file on PyPI ?  (since we don't have a notion of team/users etc.)

Doesn't that cause problems when revoking a public key ?

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Nov 19 2012)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list