PGP verification of pynitrokey / nitropy release artifacts

newNKuser · February 28, 2024, 9:00pm

Currently the recommended way of installing pynitrokey is via pipx, but such an installation does not include any PGP verification and the PyPI repo doesn’t seem to have a signature either, as some other packages there do.

Can a detached signature or signed hash file please be included for the release assets for pynitrokey? Even just a hash file in the repo would be enough, since the repo can be verified via the tags, but the more standard solution would be to add it to the release assets.

daringer · February 28, 2024, 9:05pm

Hey newNKuser,

yes, this is already planned starting with one of the next releases …
in the meantime you can also ask pipx (or pip) to install directly from the git repository

best

newNKuser · February 28, 2024, 9:16pm

Thanks for the tip about pipx, but this will still pull lots of dependencies without verification I think; dependencies which the binary (release artifact) includes IIUC. Good to hear that signed artifacts are coming, though, thank you!