[issue37967] release candidate is not gpg signed (and missing release workflow)?

2019-09-11 Thread László Kiss Kollár 

László Kiss Kollár  added the comment:

We are seeing the same issue with 3.8b4:

+ curl -fsSLO https://www.python.org/ftp/python/3.8.0/Python-3.8.0b4.tgz
+ curl -fsSLO https://www.python.org/ftp/python/3.8.0/Python-3.8.0b4.tgz.asc
+ gpg --verify Python-3.8.0b4.tgz.asc
gpg: Signature made Thu 29 Aug 2019 10:43:07 PM UTC using RSA key ID 10250568
gpg: Can't check signature: No public key



See https://github.com/pypa/manylinux/pull/344.

--
nosy: +lkollar

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37967] release candidate is not gpg signed (and missing release workflow)?

2019-08-28 Thread Ned Deily 


Ned Deily  added the comment:

The description of this issue is incorrect. All the release artifacts for the 
3.8.0b3 have GPG signatures available - see 
https://www.python.org/downloads/release/python-380b3/ - like all other 
releases.  Looking at the log of the failed Travis run in 
https://github.com/pypa/manylinux/pull/333, the failure there appears to be not 
finding the release manager's public key to verify the GPG signature against.  
There is a languishing open issue about the published public keys files having 
bogus keys in it (https://github.com/python/pythondotorg/issues/1395), perhaps 
that is related.  I'll take a close look shortly.

--
assignee:  -> ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37967] release candidate is not gpg signed (and missing release workflow)?

2019-08-28 Thread Karthikeyan Singaravelan 


Change by Karthikeyan Singaravelan :


--
nosy: +lukasz.langa, ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37967] release candidate is not gpg signed (and missing release workflow)?

2019-08-28 Thread mattip 


New submission from mattip :

Over at 
[multibuild](https://github.com/pypa/manylinux/pull/333#issuecomment-519802858),
 they ran into an issue trying to build c-extensions with the 3.8rc3 since it 
seems it is not gpg signed.

I could not find a HOWTO_RELEASE document to check that the release workflow 
includes signing the package. One exists in Tools/msi/README.txt.

--
components: Installation
messages: 350660
nosy: mattip
priority: normal
severity: normal
status: open
title: release candidate is not gpg signed (and missing release workflow)?
type: security
versions: Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com