mod_wsgi icon indicating copy to clipboard operation
mod_wsgi copied to clipboard

Published 20 hours ago verified publisher icon GrahamDumpleton

Please, digitally sign releases

Open jcea opened this issue 11 years ago • 5 comments

Graham, I was wondering if you could digitally sign (PGP/GPG) mod_wsgi releases.

Thanks for your effort!.

jcea avatar May 26 '14 15:05 jcea

Do you mean for the uploads to PyPi to be signed or on github?

I can't see how I can upload signature file on PyPi, but will have to work out what accepted practice is on github.

GrahamDumpleton avatar May 26 '14 23:05 GrahamDumpleton

I would mean BOTH. I would love to be able to verify your releases. I just downloaded 3.5 yesterday and I would love to verify integrity and origin (you).

I digitally sign my releases in PYPI. For instance: https://pypi.python.org/pypi/bsddb3/6.0.1 . This is quite standard. For instance: https://pypi.python.org/pypi/Sphinx/1.2.2

In order to digitally sign your PYPI releases, you only need to push the new version to PYPI with a command like "python setup.py sdist upload --sign".

Let me know if I can help you with this.

Jesús

jcea avatar May 27 '14 00:05 jcea

Right now I can't use 'upload' unfortunately, although I would like to, because 'upload' will not work with an OpenID enabled account and they stopped allowing SSH style uploads.

Anyway, will be doing more releases and more frequently now as working on various new stuff, so I will work out how to incorporate it into my workflow.

I will at least look at signing the tar balls on PyPi. Not sure if signing the one on github as well will cause confusion as it will have a different signature as the PyPy tar ball has different stuff to what is in the actual repo due to some files not being packaged up, plus existence of generated doc files.

Either way, I will work something out.

GrahamDumpleton avatar May 27 '14 00:05 GrahamDumpleton

I just checked it out, and PYPI allows you to upload a PGP signature when you create a new PYPI release. So, if you upload files by hand to PYPI, looks like you can upload PGP signatures too.

I am happy enough you accept this issue is important and commit to improve current situation. Thanks, Graham!!.

Let me know if I can help you out!

jcea avatar May 27 '14 01:05 jcea

I well know I haven't done this. Me being totally ignorant of this sort of stuff, can you point to a cheat sheet of what I need to do to generate the signatures to then manually upload if I am on MacOS X. My only exposure to the stuff is my GPGMail plugin which had to setup once to communicate with secure mailing list. I also have GPG Keychain Access application, but have no real idea about what public key server I may be set up with and so whether I have everything in place for it to even work.

I also still don't know how you might sign release tar balls on github itself

Any help you can provide to educate this old and slowly going senile self would be most appreciated. Would like to get this sorted out rather than let it hang here.

GrahamDumpleton avatar Nov 12 '14 11:11 GrahamDumpleton