A few days ago, I made this DEV.to post about how Python's PIP lacks GPG package signing. Well, it turns out that I'm wrong! It does have a package signing process after all. Except it's one of the most manual, archaic, and cumbersome security practices I've seen to date.