如何验证pip包的PGP密钥? [英] How do I validate a pip package's PGP key?
问题描述
我正在使用 pycryptodomme
库.文档状态
PyPI上的所有源代码包和密码轮均经过加密签名.可以使用以下PGP密钥验证它们:
All source packages and wheels on PyPI are cryptographically signed. They can be verified with the following PGP key:
我通过 pip
pip install pycryptodome
我尝试直接通过
pip download pycryptodome
没有 *.sig
或 *.asc
文件.当我在此处的建议下直接检查车轮文件时,我什至看不到它.
There isn't a *.sig
or *.asc
file. I don't even see it when I inspect the wheel file directly using the suggestion here.
问题:
如何按照文档建议检查转轮文件的签名?
How do I check the signature of the wheel file as the documentation suggests?
推荐答案
PyPI上的所有源代码包和转轮都经过加密签名.
All source packages and wheels on PyPI are cryptographically signed. 这不再是事实.当PGP签名从旧后端切换到仓库时,它们已从PyPI中删除: That's no longer true. PGP signatures were dropped from PyPI when they switched from old backend to Warehouse: https://github.com/pypa/warehouse/issues/3356#issuecomment-375303794 https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html 一旦关闭旧版PyPI,一切都会消失: Things that will go away once legacy PyPI shuts down: 软件包的GPG/PGP签名 GPG/PGP signatures for packages 这篇关于如何验证pip包的PGP密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!