Yesterday night, on #pypa IRC channel, asked about uploading detached
gpg signatures for the packages. According to , twine did not upload
the signature, even with passing -s as an argument. I tried to do the same in
test.pypi.org, and at first, I felt the same, as the package
page was not showing anything. As I
started reading the source of twine to figure out what is going on, I found
that it uploads the signature as part of the metadata of package. The JSON
API actually showed that the
release is signed. Later, and explained that we just have
to add .asc at the end of the url of the package to download the detached
signature.
During the conversation, mentioned that only 4% of the total packages are actually gpg signed. And gpg is written in C and also a GPL licensed software, so, it can not be packaged inside of CPython (as pip is packaged inside of CPython). The idea of a future PyPI where all packages must be signed (how will still have to discussed) was also discussed in the IRC channel. We also get to know that we can delete any file/relase from PyPI, but, we can not reload those files again. One has to do a new release. This is also very important incase you want to upload signatures, you will have to do that at the time of uploading the package.
also wrote about the idea of signing the packages a few years ago.