Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Support verification of GnuPG signed packages
See original GitHub issueYou can upload packages to PyPI and sign the distributions using GnuPG with twine (https://packaging.python.org/tutorials/distributing-packages/#upload-your-distributions).
My recommendation for pipenv is that you can (optionally) add a GnuPG key to the pip/piplock file for packages. The update or installation process will then only work if the packages has been signed with the correct GnuPG key.
While I agree that pipenv should not add too many features and focus on being relatively lighweight and functional, I think this is an important issue because of security. Manually veryfing signatures is not the way to go.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
i added it 😃
Well, I do not have any permissions to do so. But anyway, keep up the good work and perhaps this feature lands on pipenv someday! 😃