Thanks for the reply, i think to store the signature into the package itself,i dont know if it is a good idea or not but seems to me more packed. I dont want to use gpg i want to make that with python. So my plan is like that : for signing
1)Compute all the digests of the files that are inthe package (md5 or sha1) and store into a file
2) Sign that file (private key ) with digests with RSA or something like that
For verification :
1) User imports the public key of the signer
2) Decrypts the file with digests
3) Computes the all digests of the files with md5 or sha1 and compares if all are same the package is verified
It may seems stupid if someone has some ideas to improve it please tell me