[Distutils] updateframework signature format
Daniel Holth
dholth at gmail.com
Sun Feb 17 05:34:24 CET 2013
I thought the following was cool. Still trying to understand exactly what
the rules are for accepting new metadata and how much local state is
consulted to do so. I certainly also have deployments that are updated far
less often (annually?) than TUF's recommended key expiry.
Unfortunately the TUF pypi mirror is down, but the RSA signatures for some
example root metadata look like:
"signatures": [
{
"keyid":
"b0aae9ed378b7a955966eaf8374200d65367f65dc5dc4a88254a6a6cf5024850",
"method": "sha256-pkcs1",
"sig":
"H4jck9aILZA1kef7U+LtSj84Iak36gW3M4DqkHlbNNlojxglbfEhT16fhgLSncK7dOZ8fQWlCh6zHynfs/PEPM741WpblKgwR7XE8F1nkvT7cfvexuAF9MwLrlBCDqZLjKzW3gol02VYbZVYdGIVdPKzDILqPxneiPyaWXqW/C28Wmj74KKphe6INCV4ZeDVmIn6mOOiHUjCIpWViIARd1wZVaJA/j8PdB49JIfWTdY6A4KLRT/rH0UsLiLIy8biIr8oqpJPvmGAM0kB0/Mbj6mP5k0USFXP0RB15/JwgSDiIp3QW+86EjQ1t9SD1q+FV3fTwyE1t+4Cr4LD9GvJuQ"
},
{
...
And an RSA public key, indexed by its hash or fingerprint, is just:
"2369aafcc29833ae4279e4384ea6a99d2343d02a80057502e81a82864e4ff439": {
"keytype": "rsa",
"keyval": {
"e": "AQAB",
"n":
"giWZ7HQgDrG+GwCyxqoXsZSRkN5HvIFpJvYsmP50BXBsT2LQdyZcZKJc8OLImwvkmaXwntBD7yZEPZ2PkLKq87h3L+rJww2j/k5nn0RD0v/Blv9BY+rhHp5gWjjI4W5SCs02qmM7/X+62qQnTi6agCJaMD9Azyz57ySWtlLlVankp7PnZPEkxrX0AA8zaLcAZw+37eUgVCwl9zKJTF/4oaAuvH+TLwArAQXNJVrDaHFvWvwvsH3AzwN1pue2ZNn88BNRGxiUfpRdt15e14x8mz3Ye8mHuey8EXz82wTRzZJ0u+f8G1BVzuOBI3eljaDgNJU4X1vjnj/ltoOflyLP1w"
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130216/649f986a/attachment.html>
More information about the Distutils-SIG
mailing list