You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Attempting to build those with our existing automation is failing for the 3.10.14 release (only), seemingly due to the release having been signed with a different GPG key from normal:
+ curl --fail --retry 3 --retry-connrefused --connect-timeout 10 --max-time 60 -o python.tgz https://www.python.org/ftp/python/3.10.14/Python-3.10.14.tgz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 24.7M 0 8427 0 0 7357 0 0:58:44 0:00:01 0:58:43 7359
100 24.7M 100 24.7M 0 0 14.7M 0 0:00:01 0:00:01 --:--:-- 14.7M
+ curl --fail --retry 3 --retry-connrefused --connect-timeout 10 --max-time 60 -o python.tgz.asc https://www.python.org/ftp/python/3.10.14/Python-3.10.14.tgz.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 833 100 833 0 0 3495 0 --:--:-- --:--:-- --:--:-- 3485
+ gpg --batch --verbose --recv-keys A035C8C19219BA821ECEA86B64E628F8D684696D
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to dirmngr established
gpg: data source: [https://keys.openpgp.org:443](https://keys.openpgp.org/)
gpg: pub rsa4096/64E628F8D684696D 2018-03-30 Pablo Galindo Salgado <EMAIL REDACTED>
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: key 64E628F8D684696D: public key "Pablo Galindo Salgado <EMAIL REDACTED>" imported
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to agent established
gpg: Total number processed: 1
gpg: imported: 1
+ gpg --batch --verify python.tgz.asc python.tgz
gpg: Signature made Tue Mar 19 23:31:41 2024 UTC
gpg: using RSA key E3FF2839C048B25C084DEBE9B26995E310250568
gpg: Can't check signature: No public key
Bug description:
Several Python patch releases were released today:
https://blog.python.org/2024/03/python-31014-3919-and-3819-is-now.html
Attempting to build those with our existing automation is failing for the 3.10.14 release (only), seemingly due to the release having been signed with a different GPG key from normal:
(see https://github.com/heroku/heroku-buildpack-python/actions/runs/8352048284/job/22861497406#step:4:47)
The old
A035C8C19219BA821ECEA86B64E628F8D684696Dkey is still the one listed on:https://www.python.org/downloads/
And there is no mention of a GPG key change in https://blog.python.org/2024/03/python-31014-3919-and-3819-is-now.html - and in fact the announcement suggests the signing part was meant to be unchanged:
Is this a regression from the migration to releasing from GitHub Actions (mentioned in the blog post)?
cc @pablogsal
CPython versions tested on:
3.10
Operating systems tested on:
Linux