@@ -61,7 +61,11 @@ Releases 1.6.1, 2.0.0 and 2.1.0 were accidentally signed with this key
6161 pgp.mit.edu keyserver example replacing the key fingerprint
6262 with the one starting A1E6.
6363
64- You can import a key from pgp.mit.edu using::
64+ Importing the Public Key
65+ ~~~~~~~~~~~~~~~~~~~~~~~~
66+
67+ This only has to be added to your keyring once. You can import a key
68+ from pgp.mit.edu using::
6569
6670 gpg --keyserver pgp.mit.edu --receive-keys 411E354B5D1AF26125D621221F2DD0CB756A76D8
6771
@@ -76,21 +80,32 @@ using::
7680 gpg --import pub.key
7781
7882Once you have loaded the public key, you need a detached signature for
79- your release. PyPI used to support uploading gpg detached
83+ your release.
84+
85+
86+ Download and Verify with Detached Signature
87+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
88+
89+ This needs to be done once for each release you wish to verify.
90+
91+ The Python Package Index (PyPI) used to support uploading gpg detached
8092signatures. However that is no longer supported and downloading
8193existing signatures may not work in the future.
8294
8395As a result, the signatures for all Roundup final releases starting
8496with 1.6.0 have been moved and are linked below:
8597
98+ .. rst-class:: multicol
99+
86100* `2.2.0 <../signatures/roundup-2.2.0.tar.gz.asc>`_
87101* `2.1.0 <../signatures/roundup-2.1.0.tar.gz.asc>`_
88102* `2.0.0 <../signatures/roundup-2.0.0.tar.gz.asc>`_
89103* `1.6.1 <../signatures/roundup-1.6.1.tar.gz.asc>`_
90104* `1.6.0 <../signatures/roundup-1.6.0.tar.gz.asc>`_
91105
92- To use it, download the correct versioned link and verify it with
93- (note 1.5.7 is a dummy version, use the correct version number)::
106+ To use the signature, download the correct versioned link and verify
107+ it with (note 1.5.7 is a dummy version, use the correct version
108+ number)::
94109
95110 gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz
96111
0 commit comments