[issue37967] Beta GPG signature check failing

2019-09-12 Thread Trishank Kuppusamy
Trishank Kuppusamy added the comment: The problem with not authoritatively publishing one or more public keys for the Python tarballs is that no one will know for sure which key to trust. If you naively download the public key associated with a malicious tarball, you would trust it w/o

[issue37967] Beta GPG signature check failing

2019-09-12 Thread Ned Deily
Ned Deily added the comment: > If the pubkeys.txt on python.org has no benefit, why does it exist? That's an excellent question! Based on the points raised here and elsewhere, we discussed this more off-line and decided that we should remove the pubkeys.txt file from the website since, as

[issue37967] Beta GPG signature check failing

2019-09-11 Thread mattip
mattip added the comment: > If you use pubkeys.txt from https://www.python.org/static/files/pubkeys.txt, > then GPG verification gives you no additional security I am confused. If the pubkeys.txt on python.org has no benefit, why does it exist? What is considered best practices for people

[issue37967] Beta GPG signature check failing

2019-09-11 Thread Christian Heimes
Christian Heimes added the comment: If you use pubkeys.txt from https://www.python.org/static/files/pubkeys.txt, then GPG verification gives you no additional security. An attack with write access to www.python.org or access to the private key of www.python.org can easily replace the

[issue37967] Beta GPG signature check failing

2019-09-11 Thread mattip
mattip added the comment: I am not a gpg expert, but I think the proper solution is to add the release manager's key to the official Python GPG public key list. What would it take for that to happen? -- ___ Python tracker

[issue37967] Beta GPG signature check failing

2019-09-11 Thread Christian Heimes
Christian Heimes added the comment: This is GPG. You have to download and verify the signature somehow. That's how GPG works. You can either let GPG do it automatically or you can do it manually. -- ___ Python tracker

[issue37967] Beta GPG signature check failing

2019-09-11 Thread mattip
mattip added the comment: Is automatic download really the best solution? -- ___ Python tracker ___ ___ Python-bugs-list mailing

[issue37967] Beta GPG signature check failing

2019-09-11 Thread Christian Heimes
Christian Heimes added the comment: It looks like you don't have Łukasz key and your GnuPG is not configured for automatic key download. Automatic key download works for me: $ gpg --verify Python-3.8.0b4.tgz.asc gpg: assuming signed data in 'Python-3.8.0b4.tgz' gpg: Signature made

[issue37967] Beta GPG signature check failing

2019-09-11 Thread László Kiss Kollár
Change by László Kiss Kollár : -- title: release candidate is not gpg signed (and missing release workflow)? -> Beta GPG signature check failing ___ Python tracker ___