Signing extensions

Roger Binns rogerb at
Sat Sep 26 05:23:13 CEST 2009

I would like to digitally sign the open source Python extensions I produce.
 I produce source code (zip file) as well as pre-built binaries for Windows
(all Python versions from 2.3 to 3.1).

I can sign the source using my PGP key no problem.  I could also sign the
Windows binaries that way but Windows users are unlikely to have PGP and the
Google code downloads page would look even worse having another 8 or 9 .asc

The Windows Python distribution is signed by PGP and the normal Microsoft
way using a Verisign class 3 cert.  (If you read their issuer statement it
ultimately says the cert isn't worth the bits it is printed on :-)  One of
those certs is $500 per year which is out of the question for me.

Does anyone have any other suggestions?  Has the PSF considered running a
certificate authority for extension developers, and other Python developers
for that matter?


More information about the Python-list mailing list