Woot
On Fri, Feb 21, 2014 at 3:32 PM, Brett Cannon <[email protected]> wrote: > Well, the docs gave the gpg command to use and made the good point that > doing so meant not typing your GPG passphrase into a strange app. Anyway, > https://pypi.python.org/pypi/caniusepython3 is now live and has both an > sdist and universal wheel which are both signed with my creaky GPG key. > > > On Fri, Feb 21, 2014 at 3:16 PM, Donald Stufft <[email protected]> wrote: >> >> Twine just uses gpg like distutils upload does. It'll even do the signing >> for you if you want. >> >> twine upload -s dist/* >> >> On Feb 21, 2014, at 3:02 PM, Brett Cannon <[email protected]> wrote: >> >> Well, I'll at least use what twine supports. =) >> >> >> On Fri, Feb 21, 2014 at 2:17 PM, Donald Stufft <[email protected]> wrote: >>> >>> >>> On Feb 21, 2014, at 2:11 PM, Brett Cannon <[email protected]> wrote: >>> >>> So I'm trying to be a good Python project owner for >>> https://github.com/brettcannon/caniusepython3 so that means wanting to >>> produce a universal wheel. While reading up on exactly what is needed I >>> noticed there is `wheel keygen` which feeds `wheel sign`. >>> >>> But what exactly is the keygen producing? I'm assuming it's a >>> private/public key but there is nothing about where those keys are stored, >>> if I should keep them when I change machines, etc. And if this is PKI then I >>> would assume I would want to get my public key signed by others in some >>> web-of-trust to make sure that the signing is more than just a content hash. >>> I do have a public/private GPG key from years ago when I tried to do the >>> right thing and got it signed at PyCon, but once again the wheel docs don't >>> say anything about GPG or reusing keys, etc. The wheel docs are so >>> non-committal it makes it feel like that whatever `gpg keygen` produces is >>> really not some performance shortcut and not really something to care about >>> perpetuating the output of. >>> >>> So am I missing something or is `wheel keygen` just an optimization? >>> _______________________________________________ >>> Distutils-SIG maillist - [email protected] >>> https://mail.python.org/mailman/listinfo/distutils-sig >>> >>> >>> In my opinion Wheel key signing is pointless. It has no trust model based >>> with it and it's Wheel specific. Right now there's not a lot of benefit to >>> signing but I would use the gpg signing that's build into distutils. It's >>> generic and works across all file types. >>> >>> ----------------- >>> Donald Stufft >>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >>> DCFA >>> >> >> >> >> ----------------- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >> DCFA >> > > > _______________________________________________ > Distutils-SIG maillist - [email protected] > https://mail.python.org/mailman/listinfo/distutils-sig > _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
