Vincent Hanquez
I agree this is terrible, I've started working on this, but this is quite a bit of work and other priorities always pop up.
https://github.com/vincenthz/cabal https://github.com/vincenthz/cabal-signature
My current implementation generate a manifest during sdist'ing in cabal, and have cabal-signature called by cabal on the manifest to create a manifest.sign.
The main issue i'm facing is how to create a Web of Trust for doing all the public verification bits.
You don't need it yet. See my other post. Once the basic infrastructure for signatures is established, you can allow the user to have a set of trusted keys. The idea is that users can ask for keys and/or import keys from key servers. In the worst case they accept keys when installing a package. Once you have such a trust database you can allow users to select, whether a key is to be trusted for signing other keys. Then you have basically everything to establish both hierarchial trust relationships (like CAs) and webs of trust. Greets, Ertugrul -- Not to be or to be and (not to be or to be and (not to be or to be and (not to be or to be and ... that is the list monad.