Warehouse: PGP signatures are not displayed
This is the same issue as #703.
Uploaded PGP signatures are not visible in Warehouse.
See e.g.
https://pypi.python.org/pypi/cryptography vs https://pypi.org/project/cryptography/ .
mbakke
All 3 comments
This isn't a bug, we've purposely de-emphasized PGP on Warehouse. While we support uploading them still and they're still a part of the API, we're not exposing them to the user in the UI.
dstufft
on 22 Mar 2018
As a Linux distro packager who typically looks at the download page for software packaged in our repositories, in order to check if PGP signatures are available, before looking up the PGP key in question to determine whether this is the right key to be signing this software (cf. investigation of author, retrieval of fingerprints from multiple independent sources, etc.), then baking that PGP key into the build metadata for that specific distro package to ensure the releases are always signed by the same (hopefully now trusted) person as previous releases...
How exactly am I supposed to detect the presence of these highly hidden files?
eli-schwartz
on 6 Jun 2018
This is not just an anti-pattern, but insecure practice too. Every packaging system provides a way to verify whether the package installed on your system is the same binary that the developer packaged and signed off. PGP signatures is _that way_, without that how can I ensure that the pip installed packages haven't been tampered with?
prahladyeri
on 15 Jun 2018
Related issues
nlhkabu
路
4Comments
nlhkabu
路
4Comments
Lawouach
路
3Comments
nlhkabu
路
4Comments
gautamkrishnar
路
4Comments
Most helpful comment
This is not just an anti-pattern, but insecure practice too. Every packaging system provides a way to verify whether the package installed on your system is the same binary that the developer packaged and signed off. PGP signatures is _that way_, without that how can I ensure that the
pip installed packages haven't been tampered with?