[Distutils] what exactly does `wheel keygen` w/ `sign` do?

Brett Cannon brett at yvrsfo.ca
Fri Feb 21 20:11:45 CET 2014

So I'm trying to be a good Python project owner for
https://github.com/brettcannon/caniusepython3 so that means wanting to
produce a universal wheel. While reading up on exactly what is needed I
noticed there is `wheel keygen` which feeds `wheel sign`.

But what exactly is the keygen producing? I'm assuming it's a
private/public key but there is nothing about where those keys are stored,
if I should keep them when I change machines, etc. And if this is PKI then
I would assume I would want to get my public key signed by others in some
web-of-trust to make sure that the signing is more than just a content
hash. I do have a public/private GPG key from years ago when I tried to do
the right thing and got it signed at PyCon, but once again the wheel docs
don't say anything about GPG or reusing keys, etc. The wheel docs are so
non-committal it makes it feel like that whatever `gpg keygen` produces is
really not some performance shortcut and not really something to care about
perpetuating the output of.

So am I missing something or is `wheel keygen` just an optimization?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140221/6f368580/attachment.html>

More information about the Distutils-SIG mailing list