[Python-Dev] [Distutils] [Catalog-sig] accept the wheel PEPs 425, 426, 427

Daniel Holth dholth at gmail.com
Tue Nov 13 17:37:13 CET 2012

The signatures section is now just:

+If JSON web signatures are used, one or more JSON Web Signature JSON
+Serialization (JWS-JS) signatures may be stored in a file RECORD.jws
+adjacent to RECORD.  JWS is used to sign RECORD by including the SHA-256
+hash of RECORD as the JWS payload::

     { "hash": "sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" }

+If RECORD.p7s is used, it must contain a PKCS#7 format signature of
+A wheel installer may assume that the signature has already been checked
+against RECORD, and only must verify the hashes in RECORD against the
+extracted file contents.


+Why does wheel include attached signatures?
+    Attached signatures are more convenient than detached signatures
+    because they travel with the archive.  Since only the individual files
+    are signed, the archive can be recompressed without invalidating
+    the signature, or individual files can be verified without having
+    to download the whole archive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20121113/f91629d1/attachment.html>

More information about the Python-Dev mailing list