(blog.pypi.org)

61 points harporoeder | 1 comments | 17 Oct 24 20:03 UTC | HN request time: 0s | source

Show context

jacques_chester ◴[17 Oct 24 21:15 UTC] No.41873868[source]▶

I performed a similar analysis on RubyGems and found that of the top 10k most-downloaded gems, less than one percent had valid signatures. That plus the general hassle of managing key material means that this was a dead-end for large scale adoption.

I'm still hopeful that sigstore will see wide adoption and bring authorial attestation (code signing) to the masses.

replies(1): >>41874263 #

wnissen ◴[17 Oct 24 22:01 UTC] No.41874263[source]▶

>>41873868 #

I agree, where is the LetsEncrypt for signing? Something you could download and get running in literally a minute.

replies(1): >>41874428 #

arccy ◴[17 Oct 24 22:25 UTC] No.41874428[source]▶

>>41874263 #

sigstore https://docs.sigstore.dev/quickstart/quickstart-cosign/#exam...

replies(2): >>41874599 #>>41876000 #

1. Diti ◴[17 Oct 24 22:48 UTC] No.41874599{3}[source]▶

>>41874428 #

Specifically, the CA signing the code certificates (that are valid for 10 minutes) is https://github.com/sigstore/fulcio.

↑

Removing PGP from PyPI (2023)