Signed PyPI releases

[ypid]

Seems that PyPI supports OpenPGP signatures but it seems to be not very common yet. Also pip has no native way of checking the signatures yet (tracked upstream: pypa/pip#1035). As the signing part does not have a big overhead and can be automated with the release process I would suggest to do that for the next release. Here is an example Python package which uses this: hlc. Also refer to the Makefile of the package where all of the signing is automated 😉

Related to: #164
Refs:

• https://packaging.python.org/distributing/#uploading-your-project-to-pypi
• http://stuartmumford.uk/blog/verifying-pypi-and-conda-packages.html