[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Tue Nov 20 13:54:24 CET 2012

On 11/20/12 1:49 PM, "Martin v. Löwis" wrote:
> Am 19.11.12 19:37, schrieb Tarek Ziadé:
>> Wouldn't it make sense to modify the upload command and add a .pubkey
>> file alongside the archive file
>> and the .asc file on PyPI ?  (since we don't have a notion of team/users
>> etc.)
> Each user is supposed to provide his PGP key ID. For those that did, we
> could fetch them from the key server.

In some projects we have several owners and maintainers, so I am not sure
how we can decide which key to use. The initial owner ?

Maybe we'd need to add a project <> key relation that's set by default
to the initial owner's key, but could be change afterwards.

But as other said, if we start to add those features, we are going to 
hit all
the PKI issues - like the need to be able to revoke keys etc.

> OTOH, users can also fetch them
> themselves.
> In PGP, keys should really be on the key servers, rather than having
> distributed copies, since they get updated (e.g. when counter-signed
> or revoked).

This sounds more robust. I will investigate and see if I can come up 
with a set of good practice here.

> Regards,
> Martin

More information about the Catalog-SIG mailing list