Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
pypi register page forces insecure 8 char PGP key ID #76
I just signed up for an account on pypi to upload my python projects. Its a great site, and I've been happy to see pypi start to take security seriously. I was happy to see that the registration procedure included a spot to put my PGP key ID. Unfortunately, when I put in my 16 char key ID, it told me that it wasn't supported. When I put in the last 8 chars, then it worked.
The problem is that 8 char key IDs are easily spoofable. Ideally, pypi would request at least 16 chars. It should definitely allow 16 chars, and not force the insecure 8 char standard.
For more on this topic, including how to generate a PGP that matches any 8 char key ID:
I've just registered at pypi and I was really troubled by gpg id field. It rejected my gpg id as invalid format without saying anything helpful.
It took me a bit of googling to understand that 32-bits IDs are still in use, and another round of googling to find how to force gpg to show me 'short id' instead of normal one.
I'm going to remove GPG key submission from the registration and user form on PyPI Legacy. It only serves to create additional confusion.
We'll continue to display them as they are if a user has them registered, but new registrations have no bother to display the field.
pypa/warehouse#2172 invalidates GPG key additions as a feature of warehouse, and as that is coming up on being real (no for real though), It seems prudent to remove the functionality from PyPI legacy today.