In data mercoledì 15 novembre 2023 15:58:15 CET, Jeremy Stanley ha scritto: > why do you need to put an OpenPGP key on the service > you're using to upload Python packages (not Debian packages) to > PyPI, given that PyPI doesn't support uploading OpenPGP signatures > anyway? I need to create a .tar.gz and a .tar.gz.asc. I am currently not using any service to upload to pypi. But this requires the occasional creation and deletion of global tokens. The only way to avoid global tokens is to upload from github, in which case I can no longer sign the .tar.gz. I was more referring to the fact that all the replies were insinuating that I'm paranoid for not wanting to upload a privkey to some github service, and that anyway signatures are useless so it doesn't matter. Plus I find it very questionable that the choice is between creating a global token and using github, but that's a different issue that I'm not optimist about. A signature isn't the same as a checksum. Probably nobody was using them because there was no way to check them automatically. Best -- Salvo Tomaselli "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno." -- Galileo Galilei https://ltworf.codeberg.page/
Attachment:
signature.asc
Description: This is a digitally signed message part.