[Catalog-sig] [Draft] Package signing and verification process
Christian Heimes
christian at python.org
Wed Feb 6 12:03:37 CET 2013
Am 05.02.2013 23:41, schrieb Lennart Regebro:
> On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>> - An uploader must be able to revoke her keys from PyPI without
>>> access to her private key.
>>
>> This is already implemented, an user can modify her listed GPG fingerprint. This is not different from, eg:, the page that allows a github user to install and revoke SSH keys.
>
> What happens with the signed packages (s)he already uploaded? How do
> they get verified on download of the original key is gone?
Long story short: They can't.
When a key is revoked you can no longer trust any signature made with
that key. When a user/key is removed/revoked from the system then all
signatures are invalidated.
You have to keep in mind that key revocation and key expiration are two
different things. A user can disable or expire a key. Old signatures
stay valid but the key can no longer be used to sign packages after the
expiration date.
More information about the Catalog-SIG
mailing list