Issue 30992: Invalid PGP Key Prevents Archive Validation (original) (raw)

Issue30992

Created on 2017-07-22 15:53 by cwprogram, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (3)
msg298858 - (view)	Author: Chris White (cwprogram)	Date: 2017-07-22 15:53
When trying to validate the Python 3.6.1 tgz using the ASC file, I can't import all the keys due to the following error: ``` gpg: Note: signatures using the MD5 algorithm are rejected gpg: key ED9D77D5: no valid user IDs gpg: this may be caused by a missing self-signature ``` This is using Ubuntu 16.04 and gpg (GnuPG) 1.4.20, running the command ``` wget https://www.python.org/static/files/pubkeys.txt gpg --import pubkeys.txt ``` If I take out the key ID manually out of the entire list and import the keys by their IDs instead it works.
msg299415 - (view)	Author: Ned Deily (ned.deily) *	Date: 2017-07-28 17:43
Thanks for the report. I have opened https://github.com/python/pythondotorg/pull/1109 to remove the obsolete MD5 key from the pubkeys file. Until the updated file is deployed and the website page updated, another workaround may be to use the --allow-weak-digest-algos option of gpg: gpg --import --allow-weak-digest-algos pubkeys.txt In general, problems with the python.org website should be reported on its issue tracker: https://www.python.org/about/help/ https://github.com/python/pythondotorg/issues
msg299431 - (view)	Author: Ned Deily (ned.deily) *	Date: 2017-07-28 19:51
P.S., the pubkeys.txt file on python.org and the "OpenPGP Public Keys" section of https://www.python.org/downloads/ have now been updated.