-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PGP signatures are not displayed #3356
Comments
This isn't a bug, we've purposely de-emphasized PGP on Warehouse. While we support uploading them still and they're still a part of the API, we're not exposing them to the user in the UI. |
As a Linux distro packager who typically looks at the download page for software packaged in our repositories, in order to check if PGP signatures are available, before looking up the PGP key in question to determine whether this is the right key to be signing this software (cf. investigation of author, retrieval of fingerprints from multiple independent sources, etc.), then baking that PGP key into the build metadata for that specific distro package to ensure the releases are always signed by the same (hopefully now trusted) person as previous releases... How exactly am I supposed to detect the presence of these highly hidden files? |
This is not just an anti-pattern, but insecure practice too. Every packaging system provides a way to verify whether the package installed on your system is the same binary that the developer packaged and signed off. PGP signatures is that way, without that how can I ensure that the |
For the record, this has been referenced in https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless |
This is the same issue as #703.
Uploaded PGP signatures are not visible in Warehouse.
See e.g.
https://pypi.python.org/pypi/cryptography vs https://pypi.org/project/cryptography/ .
The text was updated successfully, but these errors were encountered: