[msl09]

That is discussed extensively in the issues related to the OP. The problem is that package maintainers of distros actually check whether the GPG signature has changed in order to repackaged python projects for their distros.

[jonathonf]

Why are distros packaging from PyPI and not from the upstream project?

[jwilk]

Because that's where upstream puts release tarballs.

[x1798DE]

They can still do that, it's just not exposed in the UI anymore.

[msl09]

I have tried checking the REST API[1] but I only found a has_sig parameter. Where is the actual signature?

https://warehouse.readthedocs.io/api-reference/json/

[Sean1708]

It's not particularly obvious, but you find a release for which `has_sig` is true then you take the URL from that release and append `.asc` to that URL.

  $ curl -s $(curl -s https://pypi.org/pypi/cryptography/json | jq '.releases["2.2.2"][] | select(.has_sig) | .url' | sed -e 's/^"//' -e 's/"$//').asc
  -----BEGIN PGP SIGNATURE-----
  
  iQEzBAABCAAdFiEEBf2foWz3VzUNkaVgI1rl8Sn57ZgFAlq6dNgACgkQI1rl8Sn5
  7Zg0Ygf/WzulfXom9qdbCHrUJh2xkTxPqK2/SUqDqOQ1OdKJm+MxDBcMhwrCdBDh
  8+eXyPTLnnhPUcCSqVFcJeUu9KyKB2MhKi7gdBUHrDxjbufexxPC+L/KwjOq3nod
  gL4OPHGGeX2ZgSlwFPR4zPIIheUmf9kPX88qtW8DD8zmuyhci6ibac9a/3fHkDVt
  H27B+aqs+WObMjcfwZV7gMnRbZwUOBZvVFRxwfMHVuMpfbwhQC8HdBK74XKNaoTd
  Golmpa5fqRm1sNquBz9YRVElWuw1qj1CZJhRBuR7V5xyPLX8J7EVUrYa70/fVtfr
  hW7oAlNbMFYb58hGC9K20v6WX8XT2w==
  =zox2
  -----END PGP SIGNATURE-----

At least that's what I was able to piece together from the docs...

[dralley]

On the package?