Post Syndicated from original https://lwn.net/Articles/932721/

The PyPI package archive has removed support
for PGP signatures on packages.

In other words, out of all of the unique keys that had uploaded
signatures to PyPI, only 36% of them were capable of being
meaningfully verified at the time of audit. Even if all of those
signatures uploaded in that 3 year period of time were made by one
of those 36% of keys that are able to be meaningfully verified,
that would still represent only 0.3% of all of those files.

Given all of this, the continued support of uploading PGP
signatures to PyPI is no longer defensible.