Verify ownership of GPG key #25
Comments
|
This would be a new feature that legacy PyPI does not support and I'm in favor of it in Warehouse. :) |
nlhkabu
added
the
requires triaging
|
@dstufft this is a little bit of an old issue :) Since it's filing many issues have come and gone regarding GPG, and I am going to close this. PEP 503 specifies PyPI's handling of signatures supplied when packages are uploaded: PEP 101 gives overall guidance of signing commits and releases, but does not specify PyPI's behavior: PEPs 241 and 314 both specify the same non-binding requirement that a repository might provide authors the ability to store their GPG Key... which is wholly distinct from a Key ID... but I think I know what they meant. Given the context and reasoning given in other venues, and the ultimate fact that just asking PyPI for a users GPG Key ID rather than the Keyserver infrastructure that exists solely for this purpose, I'm closing this and removing GPG Key ID handling from pypa/pypi-legacy. |
Currently there's no verification that a person owns the GPG key they claim they do. We should verify this before allowing this key.
The text was updated successfully, but these errors were encountered: