Removing PGP from PyPI (2023)

Does it matter much if the key can be verified? I mean it seems like a pretty big step up security wise to know that a new version of a package is signed with the same key was previous versions.

> I mean it seems like a pretty big step up security wise to know that a new version of a package is signed with the same key was previous versions.

A key part of the rationale for removing PGP uploads from PyPI was that you can't in fact know this, given the current state (and expected future) of key distribution in PGP.

(But also: yes, it's indeed important that the key can be verified i.e. considered authentic for an identity. Without that, you're in "secure phone call with the devil" territory.)

> A key part of the rationale for removing PGP uploads from PyPI was that you can't in fact know this, given the current state (and expected future) of key distribution in PGP.

I find that hard to believe. The public key or at least its fingerprint should be in the signature itself.

The fingerprint is always in the signature (when the signature packets are well-formed). The public key is almost always not. I think it would behoove you to read the post linked in TFA, which explains this in detail[1].

[1]: https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI...

In general in Software you have to start with an idea of what you want to accomplish. Then you have to break that down and determine what is feasible within the constraints you are working. Ideally you then point out the constraints that are limiting your solution. I feel like all of that is missing here. All I can see there is just an immense sea of details.