You are right, actually both are required. There should be a field in setup.py where the devs should be able to put their GPG ID. The .asc link is already available, just put the .asc after the download link of the setup file and you'll get it.
Actually, it could also be the case that there are multiple dudes of the same name (like "John Doe") and its not possible to search through the keys and determine who this particular package's author is. In fact, services like Github can play a huge role in this. Since Github already has my GPG ID because I sign all my commits, Github can easily verify my packages by matching my signed .asc files with that ID and thus verify who I am. In fact, they can even automate this whole process if they want to!
But its all pointless right now because GPG signing isn't taken seriously in the pypi world!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You are right, actually both are required. There should be a field in
setup.py
where the devs should be able to put their GPG ID. The .asc link is already available, just put the .asc after the download link of the setup file and you'll get it.Actually, it could also be the case that there are multiple dudes of the same name (like "John Doe") and its not possible to search through the keys and determine who this particular package's author is. In fact, services like Github can play a huge role in this. Since Github already has my GPG ID because I sign all my commits, Github can easily verify my packages by matching my signed .asc files with that ID and thus verify who I am. In fact, they can even automate this whole process if they want to!
But its all pointless right now because GPG signing isn't taken seriously in the pypi world!