[Python-Dev] [Distutils] [Catalog-sig] accept the wheel PEPs 425, 426, 427
Daniel Holth
dholth at gmail.com
Tue Nov 13 17:37:13 CET 2012
The signatures section is now just:
+If JSON web signatures are used, one or more JSON Web Signature JSON
+Serialization (JWS-JS) signatures may be stored in a file RECORD.jws
+adjacent to RECORD. JWS is used to sign RECORD by including the SHA-256
+hash of RECORD as the JWS payload::
{ "hash": "sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" }
+If RECORD.p7s is used, it must contain a PKCS#7 format signature of
+RECORD.
+
+A wheel installer may assume that the signature has already been checked
+against RECORD, and only must verify the hashes in RECORD against the
+extracted file contents.
FAQ
+Why does wheel include attached signatures?
+ Attached signatures are more convenient than detached signatures
+ because they travel with the archive. Since only the individual files
+ are signed, the archive can be recompressed without invalidating
+ the signature, or individual files can be verified without having
+ to download the whole archive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20121113/f91629d1/attachment.html>
More information about the Python-Dev
mailing list