[Catalog-sig] [Draft] Package signing and verification process

[Giovanni Bajo]

Il giorno 05/feb/2013, alle ore 23:41, Lennart Regebro <regebro at gmail.com> ha scritto:

> On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>> - An uploader must be able to revoke her keys from PyPI without
>>> access to her private key.
>> 
>> This is already implemented, an user can modify her listed GPG fingerprint. This is not different from, eg:, the page that allows a github user to install and revoke SSH keys.
> 
> What happens with the signed packages (s)he already uploaded? How do
> they get verified on download of the original key is gone?


I would erase all the existing signatures made by that key, with all the consequences (eg: pip failing to install, if configured in a way to reject packages without a valid signature). The only reason why one should *remove* a key from PyPI is if it's been revoked because it's compromised, at which point the existing signatures carry no value anymore (even worse, they can actually give false trust).

On the other hand, if the developer migrates to a different key (es: stronger), I think it makes sense to keep the old one registered in PyPI for the benefit of existing signatures. 

It could be argued that it might make sense to let PyPI know that, while a developer has 3 fingeprints in his account, he intends to only use one of them from now on (even though he has no reason to believe the others have been compromised). I wouldn't disagree, but it doesn't sound the most important feature at this point.
-- 
Giovanni Bajo   ::  rasky at develer.com
Develer S.r.l.  ::  http://www.develer.com

My Blog: http://giovanni.bajo.it





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130206/fb07de44/attachment.bin>