If pypi would also sign the public key, and possibly the metadata for a particular release, that feature could be pretty cool.
On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <ta...@ziade.org> wrote: > Hey > > > I am currently writing a small script to verify that the gpg signature is > correct when the --sign option > is used with the Distutils upload command, and I was wondering why we > don't publish the public key > alongside the .asc file. > > Right now, unless I missed something, to verify a signature the user has > to manually get the public key before she > can control the tarball. > > Wouldn't it make sense to modify the upload command and add a .pubkey file > alongside the archive file > and the .asc file on PyPI ? (since we don't have a notion of team/users > etc.) > > Cheers > Tarek > ______________________________**_________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/**mailman/listinfo/catalog-sig<http://mail.python.org/mailman/listinfo/catalog-sig> >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
