New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GPG signing - how does that really work with PyPI? #157

Closed
techtonik opened this Issue Jan 11, 2016 · 3 comments

Comments

Projects
None yet
3 participants
@techtonik
Contributor

techtonik commented Jan 11, 2016

Although twine supports signing, I don't see how PyPI validates the signature or how can users do this manually. Is there some quick rtfm/intro that I've missed?

@dstufft

This comment has been minimized.

Show comment
Hide comment
@dstufft

dstufft Jan 11, 2016

Member

GPG signing is not validated in any way by anything Python tools (including PyPI). It's an older, less thought out feature that currently is only generally useful for tools like Debian's uscan which can be configured to verify a GPG signature. It is also possible to manually verify it, but I doubt many people ever do that.

Member

dstufft commented Jan 11, 2016

GPG signing is not validated in any way by anything Python tools (including PyPI). It's an older, less thought out feature that currently is only generally useful for tools like Debian's uscan which can be configured to verify a GPG signature. It is also possible to manually verify it, but I doubt many people ever do that.

@techtonik

This comment has been minimized.

Show comment
Hide comment
@techtonik

techtonik Jan 11, 2016

Contributor

Thanks for the fast reply. Is this signature is at least stored by PyPI so that Debian tools can grab and check it? What is the manual process, by the way?

Contributor

techtonik commented Jan 11, 2016

Thanks for the fast reply. Is this signature is at least stored by PyPI so that Debian tools can grab and check it? What is the manual process, by the way?

@dstufft

This comment has been minimized.

Show comment
Hide comment
@dstufft

dstufft Jan 11, 2016

Member

If the signature was uploaded to PyPI (as is the case with Twine, and distutils/setuptools) it is stored at the same URL as the file with a .asc appended to it. For example, using pip 7.1.2 the wheel file is located at https://pypi.python.org/packages/py2.py3/p/pip/pip-7.1.2-py2.py3-none-any.whl and the signature is located at https://pypi.python.org/packages/py2.py3/p/pip/pip-7.1.2-py2.py3-none-any.whl.asc. This is also linked from the UI if it's available.

To verify, you'd download both the file and the signature and do gpg --verify pip-7.1.2-py2.py3-none-any.whl.asc pip-7.1.2-py2.py3-none-any.whl. Sadly, there isn't a good way to know what key should be signing releases. The best you can do is just a trust-on-first-use style mechanism where you require manual intervention if the key changes (which is what Debian typically does in their uscan program).

Member

dstufft commented Jan 11, 2016

If the signature was uploaded to PyPI (as is the case with Twine, and distutils/setuptools) it is stored at the same URL as the file with a .asc appended to it. For example, using pip 7.1.2 the wheel file is located at https://pypi.python.org/packages/py2.py3/p/pip/pip-7.1.2-py2.py3-none-any.whl and the signature is located at https://pypi.python.org/packages/py2.py3/p/pip/pip-7.1.2-py2.py3-none-any.whl.asc. This is also linked from the UI if it's available.

To verify, you'd download both the file and the signature and do gpg --verify pip-7.1.2-py2.py3-none-any.whl.asc pip-7.1.2-py2.py3-none-any.whl. Sadly, there isn't a good way to know what key should be signing releases. The best you can do is just a trust-on-first-use style mechanism where you require manual intervention if the key changes (which is what Debian typically does in their uscan program).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment