Sign releases for PyPI

Issue #517 wontfix
Ben Finney
created an issue

Downloading and installing a distribution is more secure when the release is signed with the maintainer's cryptographic (GnuPG) key.

Please refine the release process to include cryptographic signatures:

  • Choose (or create) a GnuPG key pair for the release manager.
  • Get the public key signed and well connected in the web of trust, and uploaded to the GnuPG key server network.
  • Sign each release in PyPI with that key.

Comments (6)

  1. Ben Finney reporter

    The twine upload command can sign the source distribution. Here is a patch for the project's Makefile:

    diff -r 7d8d2f99a1f1 Makefile
    --- a/Makefile  Fri Jul 15 05:14:41 2016 +1000
    +++ b/Makefile  Mon Aug 08 19:41:08 2016 +1000
    @@ -59,7 +59,7 @@
        tox -c tox_wheels.ini $(ARGS)
    -   twine upload dist/*
    +   twine upload --sign dist/*
        # pip.conf looks like this:
  2. Ben Finney reporter

    I don't have any of this infrastructure, and so will need some guidance, but I agree we should do this.

    Thanks. Do I understand correctly that you don't currently have a good handle on using GnuPG?

    The FSF's guide to Email Self-Defense is a well-written guide to using GnuPG for encryption. Once you have all that – feel free to test it in email with me – you'll also have a good set-up for GnuPG and can easily go the rest of the way for signing PyPI releases.

  3. Log in to comment