I don't understand the number 2 method you mentioned. I looked at your setup.py and it is completely free of any .asc link. The new PyPi doesn't allow you to register your GPG key, and in any case, you may have more than one - e.g. one for your personal development and another for your work email. So, to me, it makes more sense to list your gpg-key signature in setup.py, and then offer options to pip to verify during installations.
I think the primary acknowledgement of this issue is that the new PyPI allows authors to use MFA, which I've now enabled.
You are right, actually both are required. There should be a field in setup.py where the devs should be able to put their GPG ID. The .asc link is already available, just put the .asc after the download link of the setup file and you'll get it.
Actually, it could also be the case that there are multiple dudes of the same name (like "John Doe") and its not possible to search through the keys and determine who this particular package's author is. In fact, services like Github can play a huge role in this. Since Github already has my GPG ID because I sign all my commits, Github can easily verify my packages by matching my signed .asc files with that ID and thus verify who I am. In fact, they can even automate this whole process if they want to!
But its all pointless right now because GPG signing isn't taken seriously in the pypi world!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I don't understand the number 2 method you mentioned. I looked at your setup.py and it is completely free of any .asc link. The new PyPi doesn't allow you to register your GPG key, and in any case, you may have more than one - e.g. one for your personal development and another for your work email. So, to me, it makes more sense to list your gpg-key signature in setup.py, and then offer options to pip to verify during installations.
I think the primary acknowledgement of this issue is that the new PyPI allows authors to use MFA, which I've now enabled.
You are right, actually both are required. There should be a field in
setup.py
where the devs should be able to put their GPG ID. The .asc link is already available, just put the .asc after the download link of the setup file and you'll get it.Actually, it could also be the case that there are multiple dudes of the same name (like "John Doe") and its not possible to search through the keys and determine who this particular package's author is. In fact, services like Github can play a huge role in this. Since Github already has my GPG ID because I sign all my commits, Github can easily verify my packages by matching my signed .asc files with that ID and thus verify who I am. In fact, they can even automate this whole process if they want to!
But its all pointless right now because GPG signing isn't taken seriously in the pypi world!