[Distutils] PEP 439 updated

Daniel Holth dholth at gmail.com
Tue Mar 26 14:56:33 CET 2013

Made some progress on the wheel signature system that fills my design
requirements of being key-centric and emphatically not GPG. It turns
out RSA signature verification is just pow(signature, pubkey.e,
pubkey.n) and some hashing. You would be able to use "openssl genrsa
-out private.pem 2048" to generate the private key, "openssl dgst
-sha256 -sign private.pem -binary < partial_jws_blob" to do the actual
signature, and use key fingerprints (the same 32-byte length as
literal Ed25519 public keys) when asking for "something signed with a
particular key or keys".

RSA, while producing slower and bigger signatures than the elliptic
curve Ed25519, would be more palatable to some by being a more
conservative choice and you would be able to use openssl for key

The idea of "multiple signatures / no key revocation" would be limited
to "we don't have tuf yet" installs of things like pip or tuf itself,
once tuf was available more complex trust delegation would be
available and more subtle attacks could be detected. The idea is to
have a security system with a tiny implementation when you do not
have, want or need something more complex.

On Mon, Mar 25, 2013 at 11:55 PM, Richard Jones <r1chardj0n3s at gmail.com> wrote:
> Hi all,
> I've updated PEP 439 to note the outcome of the recent discussion
> regarding setuptools dependencies and a couple of other minor things.
> The changes are viewable here:
> http://hg.python.org/peps/diff/0d57c70eff91/pep-0439.txt
>     Richard
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig

More information about the Distutils-SIG mailing list