dephell package verify

Verify GPG signature for a release from PyPI.

Verify files for the latest release:

$ dephell package verify flask
INFO getting release file... (url=https://files.pythonhosted.org/packages/.../Flask-1.1.1-py2.py3-none-any.whl)
{
  "created": "2019-07-08",
  "fingerprint": "AD253D8661D175D001F462D77A1C87E3F5BC42A8",
  "key_id": "7A1C87E3F5BC42A8",
  "name": "Flask-1.1.1-py2.py3-none-any.whl",
  "release": "1.1.1",
  "status": "signature valid",
  "username": "David Lord <davidism@gmail.com>"
}

INFO getting release file... (url=https://files.pythonhosted.org/packages/.../Flask-1.1.1.tar.gz)
{
  "created": "2019-07-08",
  "fingerprint": "AD253D8661D175D001F462D77A1C87E3F5BC42A8",
  "key_id": "7A1C87E3F5BC42A8",
  "name": "Flask-1.1.1.tar.gz",
  "release": "1.1.1",
  "status": "signature valid",
  "username": "David Lord <davidism@gmail.com>"
}

Verify files for the given release:

dephell package verify django==2.0.1

Note that packages signing isn’t popular in Python world. Most of packages have no signature:

$ dephell package verify pip
ERROR no signed files found

See also

1. How to filter commands JSON output.
2. dephell package show to show information about single package.
3. dephell deps audit to find known vulnerabilities in the project dependencies.