Removal of any signatures system
Removal of any signatures system
Posted Apr 12, 2018 18:34 UTC (Thu) by dstufft (guest, #93456)In reply to: Removal of any signatures system by mmerickel
Parent article: A new package index for Python
There were two distinct features that dealt with PGP signatures on PyPI:
1. The ability to associate a PGP key identity with your user account.
2. The ability to upload a detached signature alongside the file during upload, and having that available for download, and displayed in the UI.
These two features were, as far as the code itself was concerned, entirely unrelated. You could (and still can) submit a detached signature using any key that you possess regardless of what PyPI thinks your public key is via the mechanism in (1). The only purpose to the mechanism in (1) is to allow people to discover what your public key is, theoretically to them allow them to validate the signatures if you used that public key.
So what's changed in the new PyPI?
Well (1) is gone, because it is almost entirely pointless. The only way to add or get the information stored in that field is using a HTTP request protected by TLS. If you rely on trusting that field, then the security of the system you've created devolves into trusting TLS, and if you're trusting TLS then you might as well trust TLS for everything and not just one part of it.
(2) still exists and works, you can still sign files with whatever key you possess and upload a detached signature as part of the file upload. The only thing that has changed in regards to (2) is that we will no longer indicate in the UI if a file has been PGP signed or not, nor provide a link in the UI to download it. The file is still available for download (using the URL specified in PEP 503) and it is still possible to upload signatures.