Skip to content

Today's Python 3.10.14 source release signed by wrong GPG key#117053

New issue
New issue
Closed
Closed
Today's Python 3.10.14 source release signed by wrong GPG key#117053
Assignees
ambv
Labels
type-bugAn unexpected behavior, bug, or error
@edmorley

Description

@edmorley
edmorley
opened on Mar 20, 2024

Bug description:

Several Python patch releases were released today:
https://blog.python.org/2024/03/python-31014-3919-and-3819-is-now.html

Attempting to build those with our existing automation is failing for the 3.10.14 release (only), seemingly due to the release having been signed with a different GPG key from normal:

+ curl --fail --retry 3 --retry-connrefused --connect-timeout 10 --max-time 60 -o python.tgz https://www.python.org/ftp/python/3.10.14/Python-3.10.14.tgz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 24.7M 0 8427 0 0 7357 0 0:58:44 0:00:01 0:58:43 7359 100 24.7M 100 24.7M 0 0 14.7M 0 0:00:01 0:00:01 --:--:-- 14.7M + curl --fail --retry 3 --retry-connrefused --connect-timeout 10 --max-time 60 -o python.tgz.asc https://www.python.org/ftp/python/3.10.14/Python-3.10.14.tgz.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 833 100 833 0 0 3495 0 --:--:-- --:--:-- --:--:-- 3485 + gpg --batch --verbose --recv-keys A035C8C19219BA821ECEA86B64E628F8D684696D gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: no running Dirmngr - starting '/usr/bin/dirmngr' gpg: waiting for the dirmngr to come up ... (5s) gpg: connection to dirmngr established gpg: data source: [https://keys.openpgp.org:443](https://keys.openpgp.org/) gpg: pub rsa4096/64E628F8D684696D 2018-03-30 Pablo Galindo Salgado <EMAIL REDACTED> gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: using pgp trust model gpg: key 64E628F8D684696D: public key "Pablo Galindo Salgado <EMAIL REDACTED>" imported gpg: no running gpg-agent - starting '/usr/bin/gpg-agent' gpg: waiting for the agent to come up ... (5s) gpg: connection to agent established gpg: Total number processed: 1 gpg: imported: 1 + gpg --batch --verify python.tgz.asc python.tgz gpg: Signature made Tue Mar 19 23:31:41 2024 UTC gpg: using RSA key E3FF2839C048B25C084DEBE9B26995E310250568 gpg: Can't check signature: No public key

(see https://github.com/heroku/heroku-buildpack-python/actions/runs/8352048284/job/22861497406#step:4:47)

The old A035C8C19219BA821ECEA86B64E628F8D684696D key is still the one listed on:
https://www.python.org/downloads/

And there is no mention of a GPG key change in https://blog.python.org/2024/03/python-31014-3919-and-3819-is-now.html - and in fact the announcement suggests the signing part was meant to be unchanged:

The artifacts are later still signed by the respective release manager, ensuring integrity when put on the downloads server.

Is this a regression from the migration to releasing from GitHub Actions (mentioned in the blog post)?

cc @pablogsal

CPython versions tested on:

3.10

Operating systems tested on:

Linux

Metadata

Metadata

Assignees

Labels

type-bugAn unexpected behavior, bug, or error

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions