Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
GPG signing - how does that really work with PyPI? #157
GPG signing is not validated in any way by anything Python tools (including PyPI). It's an older, less thought out feature that currently is only generally useful for tools like Debian's uscan which can be configured to verify a GPG signature. It is also possible to manually verify it, but I doubt many people ever do that.
If the signature was uploaded to PyPI (as is the case with Twine, and distutils/setuptools) it is stored at the same URL as the file with a
To verify, you'd download both the file and the signature and do