I would like to digitally sign the open source Python extensions I produce. I produce source code (zip file) as well as pre-built binaries for Windows (all Python versions from 2.3 to 3.1).
I can sign the source using my PGP key no problem. I could also sign the Windows binaries that way but Windows users are unlikely to have PGP and the Google code downloads page would look even worse having another 8 or 9 .asc files. The Windows Python distribution is signed by PGP and the normal Microsoft way using a Verisign class 3 cert. (If you read their issuer statement it ultimately says the cert isn't worth the bits it is printed on :-) One of those certs is $500 per year which is out of the question for me. Does anyone have any other suggestions? Has the PSF considered running a certificate authority for extension developers, and other Python developers for that matter? Roger -- http://mail.python.org/mailman/listinfo/python-list
