Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please, digitally sign releases #10

Open
jcea opened this issue May 26, 2014 · 5 comments
Open

Please, digitally sign releases #10

jcea opened this issue May 26, 2014 · 5 comments
Assignees
@GrahamDumpleton
Labels
enhancement

Comments

@jcea
Copy link

jcea commented May 26, 2014

Graham, I was wondering if you could digitally sign (PGP/GPG) mod_wsgi releases.

Thanks for your effort!.
@GrahamDumpleton
Copy link
Owner

Do you mean for the uploads to PyPi to be signed or on github?

I can't see how I can upload signature file on PyPi, but will have to work out what accepted practice is on github.

@jcea
Copy link
Author

jcea commented May 27, 2014

I would mean BOTH. I would love to be able to verify your releases. I just downloaded 3.5 yesterday and I would love to verify integrity and origin (you).

I digitally sign my releases in PYPI. For instance: https://pypi.python.org/pypi/bsddb3/6.0.1 . This is quite standard. For instance: https://pypi.python.org/pypi/Sphinx/1.2.2

In order to digitally sign your PYPI releases, you only need to push the new version to PYPI with a command like "python setup.py sdist upload --sign".

Let me know if I can help you with this.

Jesús

@GrahamDumpleton
Copy link
Owner

Right now I can't use 'upload' unfortunately, although I would like to, because 'upload' will not work with an OpenID enabled account and they stopped allowing SSH style uploads.

Anyway, will be doing more releases and more frequently now as working on various new stuff, so I will work out how to incorporate it into my workflow.

I will at least look at signing the tar balls on PyPi. Not sure if signing the one on github as well will cause confusion as it will have a different signature as the PyPy tar ball has different stuff to what is in the actual repo due to some files not being packaged up, plus existence of generated doc files.

Either way, I will work something out.

@GrahamDumpleton GrahamDumpleton self-assigned this May 27, 2014
@jcea
Copy link
Author

jcea commented May 27, 2014

I just checked it out, and PYPI allows you to upload a PGP signature when you create a new PYPI release. So, if you upload files by hand to PYPI, looks like you can upload PGP signatures too.

I am happy enough you accept this issue is important and commit to improve current situation. Thanks, Graham!!.

Let me know if I can help you out!

@GrahamDumpleton
Copy link
Owner

I well know I haven't done this. Me being totally ignorant of this sort of stuff, can you point to a cheat sheet of what I need to do to generate the signatures to then manually upload if I am on MacOS X. My only exposure to the stuff is my GPGMail plugin which had to setup once to communicate with secure mailing list. I also have GPG Keychain Access application, but have no real idea about what public key server I may be set up with and so whether I have everything in place for it to even work.

I also still don't know how you might sign release tar balls on github itself

Any help you can provide to educate this old and slowly going senile self would be most appreciated. Would like to get this sorted out rather than let it hang here.

@itsalok4u itsalok4u mentioned this issue Feb 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GrahamDumpleton GrahamDumpleton

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GrahamDumpleton @jcea