[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Mon Nov 19 22:34:31 CET 2012

On 11/19/12 7:55 PM, M.-A. Lemburg wrote:
> On 19.11.2012 19:37, Tarek Ziadé wrote:
>> Hey
>> I am currently writing a small script to verify that the gpg signature is correct when the --sign
>> option
>> is used with the Distutils upload command, and I was wondering why we don't publish the public key
>> alongside the .asc file.
>> Right now, unless I missed something, to verify a signature the user has to manually get the public
>> key before she
>> can control the tarball.
>> Wouldn't it make sense to modify the upload command and add a .pubkey file alongside the archive file
>> and the .asc file on PyPI ?  (since we don't have a notion of team/users etc.)
> Doesn't that cause problems when revoking a public key ?
That problem still exists as things are today at PyPI -if you sign a 
package you get an .asc file uploaded and
you need to tell people where is your public key.

If you change your key, the asc file is not valid anymore.

I am not sure what would be the best way to do this: maybe we should 
allow people to update the asc files ?

More information about the Catalog-SIG mailing list