←back to thread

Removing PGP from PyPI (2023)

(blog.pypi.org)
72 points harporoeder | 3 comments | 17 Oct 24 20:03 UTC | HN request time: 0.62s | source
Show context
jacques_chester ◴[17 Oct 24 21:15 UTC] No.41873868[source]
I performed a similar analysis on RubyGems and found that of the top 10k most-downloaded gems, less than one percent had valid signatures. That plus the general hassle of managing key material means that this was a dead-end for large scale adoption.

I'm still hopeful that sigstore will see wide adoption and bring authorial attestation (code signing) to the masses.

replies(1): >>41874263 #
wnissen ◴[17 Oct 24 22:01 UTC] No.41874263[source]
I agree, where is the LetsEncrypt for signing? Something you could download and get running in literally a minute.
replies(1): >>41874428 #
arccy ◴[17 Oct 24 22:25 UTC] No.41874428[source]
sigstore https://docs.sigstore.dev/quickstart/quickstart-cosign/#exam...
replies(2): >>41874599 #>>41876000 #
1. crote ◴[18 Oct 24 03:01 UTC] No.41876000[source]
I don't think Sigstore is a good example. I just spent half an hour trying to understand it, and I am still left with basic questions like "Does it require me to authenticate with Github & friends, or can I use my own OIDC backend?": it seems like you can, but there are cases where you need to use a blessed OIDC provider, but you can override that while self-hosting, and there are config options for the end user to specify any IODC provider? But the entire trust model also relies on the OIDC backend being trustworthy?

The quickstart guide looks easy enough to follow, but it seems nobody bothered to document what exactly is happening in the background, and why. There's literally a dozen moving pieces and obscure protocols involved. As an end user, Sigstore looks like a Rube Goldberg trust machine to me. It might just as well be a black box.

PGP is easy to understand. LetsEncrypt is easy to understand. I'm not an expert on either, but I am reasonably certain I can explain them properly to the average highschooler. But Sigstore? Not a chance - and in my opinion that alone makes it unsuitable for its intended use.

replies(1): >>41876486 #
2. jacques_chester ◴[18 Oct 24 05:00 UTC] No.41876486[source]
The important difference is that sigstore enables a "single click" signing procedure with no faffing around with key material. How it works is much less important than the user experience, which is vastly better.
replies(1): >>41879190 #
3. crote ◴[18 Oct 24 13:19 UTC] No.41879190[source]
> How it works is much less important than the user experience, which is vastly better.

I disagree. If it requires a Magic Trust Box which can be Trusted because it is made by Google and Google is Trustworthy, it has exactly zero value to the wider community. It doesn't matter how convenient the user experience is when it isn't clear why it provides trust.

Let's say I created an artifact upload platform, where the uploader can mark a "This file is trustworthy" checkbox, which results in the file being given a nice green happy face icon in the index. It is incredibly convenient and provides a trivial user experience! And it's of course completely legit and trustworthy because *vague hand waving gestures*. Would you trust my platform?