Yesterday night, on #pypa IRC channel, asked about uploading detached
gpg signatures for the packages. According to , twine
did not upload
the signature, even with passing -s
as an argument. I tried to do the same in
test.pypi.org, and at first, I felt the same, as the package
page was not showing anything. As I
started reading the source of twine
to figure out what is going on, I found
that it uploads the signature as part of the metadata of package. The JSON
API actually showed that the
release is signed. Later, and explained that we just have
to add .asc
at the end of the url of the package to download the detached
signature.
During the conversation, mentioned that only 4% of the total packages
are actually gpg signed. And gpg is written in C and also a GPL licensed
software, so, it can not be packaged inside of CPython (as pip is packaged
inside of CPython). The idea of a future PyPI where all packages must be signed
(how will still have to discussed) was also discussed in the IRC channel. We
also get to know that we can delete any file/relase from PyPI, but, we can not
reload those files again. One has to do a new release. This is also very
important incase you want to upload signatures, you will have to do that at the
time of uploading the package.
also wrote
about the idea of signing the packages a few years ago.