Gpg python installer

Ned Deily nad at acm.org
Thu Apr 2 09:13:22 CEST 2015


In article 
<CAK9B2qgbiGkUAH3w2YMRuogOCQDq132QBXRbQWcP5o1jAxtNyA at mail.gmail.com>,
 leonardo davinci <leodavinci111 at gmail.com> wrote:
> I am using Kleopatra(gpg for win) to verify the 3.4.3 python installer,
> Windows x86 MSI
> 
> ><https:// <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>
> www.python.org <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>
> /ftp/python/3.4.3/
> <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>python-3.4.3.msi
> <https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi>>. This file does
> not have a email in the digital signature and I am having trouble verifying
> the validity of the download.

Unfortunately, verifying the PGP signature of release files isn't the 
most user-friendly process, especially on Windows.  The release files 
from python.org are typically PGP-signed in armored detached signature 
files, in other words, for each release file (like python-3.4.3.msi) 
there is a separate signature file with an appended .asc extension 
(python-3.4.3.msi.asc).  If you go to the python.org downloads page 
(https://www.python.org/downloads/) and click on the release in 
question, it should take you to the page for the release 
(https://www.python.org/downloads/release/python-343/).  Near the bottom 
of the page, there is a list of downloadable files and to the right of 
each one there is a "GPG" column with a "SIG" link for each file.  
Clicking on the SIG link should download the corresponding signature 
file (python-3.4.3.msi.asc).  I'm not familiar with Kleopatra's 
interface but normally you'd want to download both the installer file 
and its asc file to the same directory/folder and then tell the GPG 
program to verify the asc file.  The PGP/GPG program will also need to 
have access to the public keys of the creators / signers of the 
downloadable files.  You will find them listed near the bottom of the 
Downloads page (https://www.python.org/downloads/).

Independently thereof, the python.org Windows installer files are also 
signed with a public-key code signing certificate that should be 
automatically verified by the Windows installer program.  (Likewise, for 
the Mac OS X installer files.)

Hope this helps!

-- 
 Ned Deily,
 nad at acm.org




More information about the Python-list mailing list