Re: GnuPG signatures on PyPI: why so few?

To: debian-python@lists.debian.org
Subject: Re: GnuPG signatures on PyPI: why so few?
From: Ben Finney <bignose@debian.org>
Date: Sun, 12 Mar 2017 17:14:56 +1100
Message-id: <[🔎] 85lgsbggwv.fsf@benfinney.id.au>
References: <[🔎] 85r323gw48.fsf@benfinney.id.au> <[🔎] 871su3i67i.fsf@prune.linuxpenguins.xyz>

Brian May <bam@debian.org> writes:

> Maybe there is some way of turning signatures on by default, so I don't
> have to remember for every upload, if so, I haven't been able to work it
> out yet however.

I don't know how it should be done using the currently-recommended
Twine tool.

For Distutils, the ‘upload’ command has a ‘--sign’ option
<URL:https://docs.python.org/3.1/distutils/uploading.html> to specify
the distribution should be GnuPG signed, and the ‘--identity’ option
specifies which GnuPG identity from your keyring should sign the
distribution.

To set an option default for Setuptools commands, you put it in the
‘setup.cfg’ file.

So, in the code base's ‘setup.cfg’:

    [upload]

    # Sign distributions, and upload the signing public key?
    sign = true

    # Which GnuPG identity to use for signing?
    identity = christina@example.org

-- 
 \      “Probably the earliest flyswatters were nothing more than some |
  `\    sort of striking surface attached to the end of a long stick.” |
_o__)                                                     —Jack Handey |
Ben Finney

Reply to:

References:
- GnuPG signatures on PyPI: why so few?
  - From: Ben Finney <bignose@debian.org>
- Re: GnuPG signatures on PyPI: why so few?
  - From: Brian May <bam@debian.org>

Prev by Date: Re: GnuPG signatures on PyPI: why so few?
Next by Date: Re: PyPI source or github source?
Previous by thread: Re: GnuPG signatures on PyPI: why so few?
Next by thread: Re: GnuPG signatures on PyPI: why so few?
Index(es):
- Date
- Thread