4.0.8 sdist tarball signature on pypi is bad

Hi! When trying to package 4.0.8 for Arch Linux I ran into a bad signature for the sdist tarball on pypi.org:

gpg --verify gitdb-4.0.8.tar.gz.asc
gpg: assuming signed data in 'gitdb-4.0.8.tar.gz'
gpg: Signature made 2021-10-23T02:39:33 CEST
gpg:                using RSA key EAF9CCFCD0876408F297C60A9CB5EE7895E8268B
gpg: BAD signature from "Sebastian Thiel (YubiKey USB-C) <byronimo@gmail.com>" [unknown]

To reproduce:

curl -L -O https://files.pythonhosted.org/packages/source/g/gitdb/gitdb-4.0.8.tar.gz -O https://files.pythonhosted.org/packages/source/g/gitdb/gitdb-4.0.8.tar.gz.asc && gpg --verify gitdb-4.0.8.tar.gz.asc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

4.0.8 sdist tarball signature on pypi is bad #77

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Search code, repositories, users, issues, pull requests...

4.0.8 sdist tarball signature on pypi is bad #77

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions