←back to thread

Removing PGP from PyPI (2023)

(blog.pypi.org)
61 points harporoeder | 2 comments | 17 Oct 24 20:03 UTC | HN request time: 0.446s | source
1. aborsy ◴[18 Oct 24 01:55 UTC] No.41875702[source]
What’s the current best solution for associating a public key to an identity or person?

This is not related to cryptography protocols.

OpenPGP key server verifies email. Keybase was a good idea but seems dead. Maybe identity providers?

replies(1): >>41875876 #
2. woodruffw ◴[18 Oct 24 02:30 UTC] No.41875876[source]
> Maybe identity providers?

That's essentially all Sigstore is: it uses an identity provider to bind an identity (like an email) to a short-lived signing key.