[Catalog-sig] getting the public key when --sign is used

"Martin v. Löwis" martin at v.loewis.de
Tue Nov 20 13:49:57 CET 2012

Am 19.11.12 19:37, schrieb Tarek Ziadé:
> Wouldn't it make sense to modify the upload command and add a .pubkey
> file alongside the archive file
> and the .asc file on PyPI ?  (since we don't have a notion of team/users
> etc.)

Each user is supposed to provide his PGP key ID. For those that did, we
could fetch them from the key server. OTOH, users can also fetch them

In PGP, keys should really be on the key servers, rather than having
distributed copies, since they get updated (e.g. when counter-signed
or revoked).


More information about the Catalog-SIG mailing list