[Catalog-sig] getting the public key when --sign is used

M.-A. Lemburg mal at egenix.com
Tue Nov 20 20:17:33 CET 2012


Donald Stufft wrote:
> On Tuesday, November 20, 2012 at 3:41 AM, M.-A. Lemburg wrote:
>> For the second requirement, updating the .asc file would be
>> a solution. Alternatively, the packagers could check the revocation
>> date and then still allow packages to be installed which were signed
>> before the revocation happened.
> 
> No, if a key is revoked it can no longer be used. I may discover that 
> my key has been compromised months after it was actually compromised
> I would then revoke it. I have no idea if the person who (in the hypothetical)
> signed any packages with my key, or for how long they've been doing so.
> 
> Once a key is revoked you must not trust it for anything.

Good point, even though that makes it very difficult to deal with
the validity of signatures on older packages - the package author
may no longer be in possession of the needed bits to sign those
packages again or do a re-upload.

Hmm, perhaps just signing the hash value is good enough. Those
would be stored on PyPI and remain accessible.

I wonder how systems like Debian or the various RPM-based ones
deal with the problem.

-- 
Marc-Andre Lemburg
eGenix.com Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


More information about the Catalog-SIG mailing list