On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou <[email protected]> wrote: > On 2012年10月22日 15:20:01 -0400 > Daniel Holth <[email protected]> wrote: >> >> The decoded contents are like the JSON documents at >> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions >> >> Signing is implemented at: >> https://bitbucket.org/dholth/wheel/src/tip/wheel/signatures/__init__.py?at=default#cl-25 >> >> The SHA-256 hash of RECORD is what is signed together with JWS >> signature header. The JWS spec elaborates on the general format. > > Thank you. Could you fix the terminology in the PEP? You are using the > term "payload" in a different sense from the JWS draft. Specifically, > the PEP should mention that the "JWS Payload" is the binary > contents of the RECORD file. > > What you are calling payload is actually the "JWS Signature". > > Regards
Which line is confusing? The payload is the hash of the contents of
RECORD as a small JSON document: { "hash":
"sha256=ADD-r2urObZHcxBW3Cr-vDCu5RJwT4CaRTHiFmbcIYY" } instead of
including a base64-encoded copy of RECORD in the signature.
_______________________________________________
Python-Dev mailing list
[email protected]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com