[Catalog-sig] [Draft] Package signing and verification process

Lennart Regebro regebro at gmail.com
Wed Feb 6 12:25:41 CET 2013


On Wed, Feb 6, 2013 at 12:03 PM, Christian Heimes <christian at python.org> wrote:
> Am 05.02.2013 23:41, schrieb Lennart Regebro:
>> On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>>> - An uploader must be able to revoke her keys from PyPI without
>>>>  access to her private key.
>>>
>>> This is already implemented, an user can modify her listed GPG fingerprint. This is not different from, eg:, the page that allows a github user to install and revoke SSH keys.
>>
>> What happens with the signed packages (s)he already uploaded? How do
>> they get verified on download of the original key is gone?
>
> Long story short: They can't.
>
> When a key is revoked you can no longer trust any signature made with
> that key. When a user/key is removed/revoked from the system then all
> signatures are invalidated.
>
> You have to keep in mind that key revocation and key expiration are two
> different things. A user can disable or expire a key. Old signatures
> stay valid but the key can no longer be used to sign packages after the
> expiration date.

Right, and the suer should be able to revoke it as well, but they then
need to understand that all their old packages will become invalid,
and that this should only be done if the key has been stolen.

//Lennart


More information about the Catalog-SIG mailing list