pygp-sign

An attempt to make .py file signing as simple as possible.

NOTE: This is a demo only, the pypg-sign.py script does absolutely no error handling, and it will overwrite the files you pass to it as arguments.

Why?

It'd be nice to reduce supply chain attacks.

This is a simple way to sign individual files; it doesn't address the issue of signed packages. At installation time, a package manager could verify the signatures of the .py files inside the package before installing.

How to Sign

Take a Python script, signed.py:

#!/usr/bin/env python

print("Hello, world!")

and add a PGP signature via ./pygp-sign.py signed.py:

#!/usr/bin/env python
"""
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

"""

print("Hello, world!")

"""
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTa+VBmGeZ9zUDDeGSVqC10rOJmhwUCaCsWGwAKCRCVqC10rOJm
h/LwAQCIRYhFEwAITNR7dgH5pPLDZ3pR5UEiJn4dwVnRBTH/oAD9EIwbwnpbj9bK
GYIDJhjrlpsMb866rCJtD/D90tneZwA=
=UrdT
-----END PGP SIGNATURE-----
"""

How to Verify

To verify, use anything that'll verify PGP signatures:

✦ chrish@moon ❯ gpg --verify signed.py
gpg: Signature made Mon 19 May 2025 07:29:31 AM EDT
gpg:                using EDDSA key DAF9506619E67DCD40C3786495A82D74ACE26687
gpg: Good signature from "Chris Herborth <[email protected]>" [full]
gpg:                 aka "Chris Herborth <[email protected]>" [full]

What about packages?

Packages could be signed as well:

gpg --detach-sign --output somepackage.whl.sig somepackage.whl
gpg --detach-sign --output somepackage.tar.gz.sig somepackage.tar.gz

Then verify:

gpg --verify somepackage.whl.sig somepackage.whl
gpg --verify somepackage.tar.gz.sig somepackage.tar.gz