Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP signatures are not displayed #3356

Closed
mbakke opened this issue Mar 22, 2018 · 4 comments
Closed

PGP signatures are not displayed #3356

mbakke opened this issue Mar 22, 2018 · 4 comments

Comments

@mbakke
Copy link

mbakke commented Mar 22, 2018

This is the same issue as #703.

Uploaded PGP signatures are not visible in Warehouse.

See e.g.

https://pypi.python.org/pypi/cryptography vs https://pypi.org/project/cryptography/ .
@ewdurbin ewdurbin added good first issue This issue is ideal for first-time contributors! HTML requires change to HTML files bug 🐛 labels Mar 22, 2018
@dstufft dstufft removed HTML requires change to HTML files bug 🐛 good first issue This issue is ideal for first-time contributors! labels Mar 22, 2018
@dstufft
Copy link
Member

dstufft commented Mar 22, 2018

This isn't a bug, we've purposely de-emphasized PGP on Warehouse. While we support uploading them still and they're still a part of the API, we're not exposing them to the user in the UI.

@dstufft dstufft closed this as completed Mar 22, 2018
@di di mentioned this issue Apr 12, 2018
Open
@digitalresistor digitalresistor mentioned this issue May 22, 2018
Closed
@eli-schwartz
Copy link

As a Linux distro packager who typically looks at the download page for software packaged in our repositories, in order to check if PGP signatures are available, before looking up the PGP key in question to determine whether this is the right key to be signing this software (cf. investigation of author, retrieval of fingerprints from multiple independent sources, etc.), then baking that PGP key into the build metadata for that specific distro package to ensure the releases are always signed by the same (hopefully now trusted) person as previous releases...

How exactly am I supposed to detect the presence of these highly hidden files?

@prahladyeri
Copy link

prahladyeri commented Jun 15, 2018
edited
Loading

This is not just an anti-pattern, but insecure practice too. Every packaging system provides a way to verify whether the package installed on your system is the same binary that the developer packaged and signed off. PGP signatures is that way, without that how can I ensure that the pip installed packages haven't been tampered with?

@asvetlov asvetlov mentioned this issue Sep 16, 2018
Closed
@lfam lfam mentioned this issue Dec 16, 2018
Closed
@mvantellingen mvantellingen mentioned this issue Jan 21, 2019
Closed
@redshiftzero redshiftzero mentioned this issue Apr 22, 2019
Closed
@dlorenc dlorenc mentioned this issue Mar 16, 2021
Closed
@rugk
Copy link

rugk commented May 22, 2023

For the record, this has been referenced in https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless

@vsajip vsajip mentioned this issue Feb 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dstufft @ewdurbin @mbakke @prahladyeri @eli-schwartz @rugk