[Catalog-sig] [Draft] Package signing and verification process
Zygmunt Krynicki
zygmunt.krynicki at canonical.com
Tue Feb 5 20:56:38 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
W dniu 05.02.2013 20:21, Christian Heimes pisze:
> User installs package ---------------------
>
> process: - <tool> retrieves the package and the combined signature
> file (PyPI's signature, metadata file and embedded signature of the
> uploader) - <tool> optionally downloads missing GPG keys from PyPI
> - <tool> verifies PyPIs signature of the metadata file and then
> the uploader's signature of the content - on success <tool> install
> the package
>
> The verification process needs some interaction with the
> downloader. She must accept and establish a trust level with each
> key. This needs to be discussed in detail.
Perhaps this part could be handled by (still unimplemented) distrust
system that I'm writing
https://github.com/zyga/distrust
Thanks
ZK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJREWPyAAoJECiU6TooxntHcBAP/0LjXzLIWq9evHOzDPiOhVNf
PIBTw15aGb9SlJ9YsXfkyylTOChp1VhSyT1PL7sXUP7TpXD9G/tOKmzvCxemZnFW
cSSutv1UpgGo93AJtMWt96a1i4WUsXvJOZC2IxUDPwN7McQnQlxgIT6dGjGi5w1Q
MFjt1kyNZK9eDgf6Nt8O+tBVIwO4rMUlhhSEWbAGJTToAkf/VvXx4GKoUTYRlM9C
vL3nbbalCo6C+/rUgBdwvA2dRTSnh89qwfVgQkZI7BCPiUxzitdpadhnhFiugQrc
CqSb5rlklTd3U/y5IC2PI62P+q/824aLrlFSG7WqCVccVH+LLQliDHyV3ZbIrEBH
2c6Soc7tzi9klHq+HGq9ZPipZxjLcjgbcm3Y19cuMT54uDYVwlPl/gYqOBgYaVlC
6W9Fg0KKMChdc/P8bwTIV7pt9kqsEclWcPj68KqD3morVrZreING5vWVDKZfazp6
XRYxJPd2679AYIK86BrWW6jIZvASwybuND293Pb07SAWJ2XeuQnzoZT4yoF1m9D3
Ed8YEuMogmUWPr+P7EHSJQYZ96+vonm+q14+mn8FLQW2B2ox/TalbLa5UP5vndZd
RF8bFcJBKTQ8bvoXfi/sT8559aqlFkz4TBNgvR18WbkJ083NUT6FLEtCFks4o8Qe
iLoPm4tJj7iTc4Zre+I7
=LLV2
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list