skip to navigation
skip to content

PyPI Security


If you have a query or report to make regarding security please contact Richard Jones, Donald Stufft and/or Martin von Löwis. All have GPG keys on key servers like

Richard's GPG key has key id 41C6E930 (full fingerprint 0145 FD2B 52E8 0A8E 329A 16C7 AC68 AC04 41C6 E930) and his email address is

Donald's GPG key has key id 3372DCFA (full fingerprint 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA) and his email address is

Martin's GPG key has key id 7D9DC8D2 (full fingerprint CBC5 4797 8A39 64D1 4B9A B36A 6AF0 53F0 7D9D C8D2) and his email address is

You may also report issues in the PyPI bug tracker where reports may be made private.

Your Security

You may sign your uploads with GPG using the "--sign" argument to "python upload".

Additionally you may avoid using the default HTTP authentication used on the site and instead upload using ssh.

The MD5 hash provided with files on PyPI exists only to provide some download corruption protection. It is not intended to provide any sort of security regarding tampering. Please use GPG signing for that.