-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin v. Löwis wrote: >> I have code in python to digitally sign/verify signatures using ElGamal >> algorithm. Any interest? > > I rather prefer standard PGP signatures (with whatever signature > algorithm the server key uses).
Me too, but then you requires an OpenPGP implementation in Python or a pgp/gpg program around, correctly configured, with the PYPI public key installed, etc. Instead, ElGamal signatures are verified in 12 lines of 100% python code. I am talking about checking that a package actually comes from PyPI, not the PGP author signature. This is important if anybody can deploy a mirror... At least "easy_install" can automatically verify that the downloaded package, from a mirror, was originated in the main PYPI server and it was not modified in any way. - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ [email protected] - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:[email protected] _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBSWJJ0Jlgi5GaxT1NAQKKMAP/QZGMLzVq1bBv3BU8HLTtMdygfH4CsH29 dYCxEcgbx7FmrfrdyN9cnAg9xnWR4S0u6ObnfhxVrx0+UyXivtdtTqDxh13TNJay 6U93QbILsrtr2Ey+yFDHg9VwmqNb9LMX/UUvBt2uyd1BEHbiKacPrqshTCyvhdHY aMW8rspseK4= =6/Hp -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
