Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Today's Python 3.10.14 source release signed by wrong GPG key #117053

Copy link
Copy link

Description

@edmorley
Issue body actions

Bug description:

Several Python patch releases were released today:
https://blog.python.org/2024/03/python-31014-3919-and-3819-is-now.html

Attempting to build those with our existing automation is failing for the 3.10.14 release (only), seemingly due to the release having been signed with a different GPG key from normal:

+ curl --fail --retry 3 --retry-connrefused --connect-timeout 10 --max-time 60 -o python.tgz https://www.python.org/ftp/python/3.10.14/Python-3.10.14.tgz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0 24.7M    0  8427    0     0   7357      0  0:58:44  0:00:01  0:58:43  7359
100 24.7M  100 24.7M    0     0  14.7M      0  0:00:01  0:00:01 --:--:-- 14.7M
+ curl --fail --retry 3 --retry-connrefused --connect-timeout 10 --max-time 60 -o python.tgz.asc https://www.python.org/ftp/python/3.10.14/Python-3.10.14.tgz.asc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   833  100   833    0     0   3495      0 --:--:-- --:--:-- --:--:--  3485
+ gpg --batch --verbose --recv-keys A035C8C19219BA821ECEA86B64E628F8D684696D
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to dirmngr established
gpg: data source: [https://keys.openpgp.org:443](https://keys.openpgp.org/)
gpg: pub  rsa4096/64E628F8D684696D 2018-03-30  Pablo Galindo Salgado <EMAIL REDACTED>
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: key 64E628F8D684696D: public key "Pablo Galindo Salgado <EMAIL REDACTED>" imported
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to agent established
gpg: Total number processed: 1
gpg:               imported: 1
+ gpg --batch --verify python.tgz.asc python.tgz
gpg: Signature made Tue Mar 19 23:31:41 2024 UTC
gpg:                using RSA key E3FF2839C048B25C084DEBE9B26995E310250568
gpg: Can't check signature: No public key

(see https://github.com/heroku/heroku-buildpack-python/actions/runs/8352048284/job/22861497406#step:4:47)

The old A035C8C19219BA821ECEA86B64E628F8D684696D key is still the one listed on:
https://www.python.org/downloads/

And there is no mention of a GPG key change in https://blog.python.org/2024/03/python-31014-3919-and-3819-is-now.html - and in fact the announcement suggests the signing part was meant to be unchanged:

The artifacts are later still signed by the respective release manager, ensuring integrity when put on the downloads server.

Is this a regression from the migration to releasing from GitHub Actions (mentioned in the blog post)?

cc @pablogsal

CPython versions tested on:

3.10

Operating systems tested on:

Linux

Reactions are currently unavailable

Metadata

Metadata

Assignees

Labels

type-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or error
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    Morty Proxy This is a proxified and sanitized view of the page, visit original site.