Hello,I completely agree with you and many others on that regard. A private key is private, and shall not be stored in a server where multiple users might access to and open to internet, which can be compromised.
Doing this makes the attack surface substantially larger, and given the target is important enough, makes the server target of more sophisticated attacks which might be harder to detect.
> It has been suggested that I'm a bit paranoid for stating that putting my > private key on a microsoft server renders the signature with that key > completely meaningless.Given that Microsoft lost their private keys allowing anyone to sign login tokens, stayed silent for so long on the matter, not giving private keys to Microsoft is a wise choice.
As a result, a general policy change disallowing private keys to be stored in these remote systems is a welcome addition from my PoV.
Cheers, H. On 15.11.2023 13:01, Salvo Tomaselli wrote:
Hello, In data mercoledì 15 novembre 2023 03:21:34 CET, Simon Richter ha scritto:disqualifying factor. Upload permissions are tied to a gpg key, and the holder of the key needs to at least demonstrate good practices in using gpgI was recently discussing with pypi and core python developers, and it seems that their take is very different than ours. It seems that pypi completely removed support for signed updates, and instead now verification happens if you upload from a github pipeline. It has been suggested that I'm a bit paranoid for stating that putting my private key on a microsoft server renders the signature with that key completely meaningless. I of course disagree, but the opinion of people in such key positions is easily valued more. Perhaps we need an explicit policy in how to handle keys, since there are very different opinions about what it is ok to do with them. Best
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature