Support verification of GnuPG signed packages
See original GitHub issueYou can upload packages to PyPI and sign the distributions using GnuPG with twine
(https://packaging.python.org/tutorials/distributing-packages/#upload-your-distributions).
My recommendation for pipenv
is that you can (optionally) add a GnuPG key to the pip/piplock file for packages. The update or installation process will then only work if the packages has been signed with the correct GnuPG key.
While I agree that pipenv
should not add too many features and focus on being relatively lighweight and functional, I think this is an important issue because of security. Manually veryfing signatures is not the way to go.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:8 (5 by maintainers)
Top Results From Across the Web
How to use GPG to verify signed content from Product Security
Everyone can download an accompanying public key and verify the authenticity of the signed file. To perform the verification, you need the ...
Read more >Making and verifying signatures - GnuPG
Given a signed document, you can either check the signature or check the signature and recover the original document. To check the signature...
Read more >HOWTO: GPG sign and verify deb packages and APT ...
This article includes explanation on GPG sign and verification of DEB packages and APT repositories.
Read more >Support for verification of GPG signed Helm packages #3833
Summary Following up the verification of GPG signatures on Git commits (#3242), we should also support the verification of signatures on ...
Read more >Packages Signed with GPG-Enabled Keys - TechDocs
Before you install the packages, you can verify the signature of the packages to ensure that they have not been tampered with. To...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
i added it 😃
Well, I do not have any permissions to do so. But anyway, keep up the good work and perhaps this feature lands on pipenv someday! 😃