Twine just uses gpg like distutils upload does. It’ll even do the signing for you if you want.
twine upload -s dist/* On Feb 21, 2014, at 3:02 PM, Brett Cannon <[email protected]> wrote: > Well, I'll at least use what twine supports. =) > > > On Fri, Feb 21, 2014 at 2:17 PM, Donald Stufft <[email protected]> wrote: > > On Feb 21, 2014, at 2:11 PM, Brett Cannon <[email protected]> wrote: > >> So I'm trying to be a good Python project owner for >> https://github.com/brettcannon/caniusepython3 so that means wanting to >> produce a universal wheel. While reading up on exactly what is needed I >> noticed there is `wheel keygen` which feeds `wheel sign`. >> >> But what exactly is the keygen producing? I'm assuming it's a private/public >> key but there is nothing about where those keys are stored, if I should keep >> them when I change machines, etc. And if this is PKI then I would assume I >> would want to get my public key signed by others in some web-of-trust to >> make sure that the signing is more than just a content hash. I do have a >> public/private GPG key from years ago when I tried to do the right thing and >> got it signed at PyCon, but once again the wheel docs don't say anything >> about GPG or reusing keys, etc. The wheel docs are so non-committal it makes >> it feel like that whatever `gpg keygen` produces is really not some >> performance shortcut and not really something to care about perpetuating the >> output of. >> >> So am I missing something or is `wheel keygen` just an optimization? >> _______________________________________________ >> Distutils-SIG maillist - [email protected] >> https://mail.python.org/mailman/listinfo/distutils-sig > > In my opinion Wheel key signing is pointless. It has no trust model based > with it and it’s Wheel specific. Right now there’s not a lot of benefit to > signing but I would use the gpg signing that’s build into distutils. It’s > generic and works across all file types. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
