Closed Bug 803298 Opened 13 years ago Closed 13 years ago

Implement gnupg signature checking in pip

Categories

(Marketplace Graveyard :: General, defect)

Product:
Marketplace Graveyard
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: kang, Unassigned)

References

Details

When installing packages via pip, the GnuPG signature of the packages is not checked. This would be a welcome addition to: - authenticate the package maintainer, or owner - that the package has not been tampered with Signing Python packages is, to the best of my knowledge, currently done via: $ python setup.py upload --sign This is the signature that should be verified (if present). In particular, there should be: - a flag to force signature checking (install fails if no signature is present) - a possible prompt to install anyway (if the key is not present in the GnuPG database), that is for convenience only (specially useful for non-Mozilla users) - a way to either, specify a trusted key or a list of trusted keys (full fingerprints, not short ids), OR - use the GnuPG trust database to store the trusted developer keys. For example of well known setups, see the archlinux pacman key validation (it uses the GnuPG trust database), or the RPM/Deb key validation (it uses its own list of keys)
I agree this should be built into pip. It looks like other people are doing this with gpg itself using servers like keys.gnupg.net. More info: http://www.davidfischer.name/2012/05/signing-and-verifying-python-packages-with-pgp/
I'm going to wontfix this as the marketplace team is not the maintainer of the pip software. Please encourage the pip maintainers to fix this bug via their issue tracking software.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.