This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Invalid PGP Key Prevents Archive Validation
Type: Stage: resolved
Components: Installation Versions: Python 3.6
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: cwprogram, ned.deily
Priority: normal Keywords:

Created on 2017-07-22 15:53 by cwprogram, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (3)
msg298858 - (view) Author: Chris White (cwprogram) Date: 2017-07-22 15:53
When trying to validate the Python 3.6.1 tgz using the ASC file, I can't import all the keys due to the following error:

gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key ED9D77D5: no valid user IDs
gpg: this may be caused by a missing self-signature

This is using Ubuntu 16.04 and gpg (GnuPG) 1.4.20, running the command

gpg --import pubkeys.txt

If I take out the key ID manually out of the entire list and import the keys by their IDs instead it works.
msg299415 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-28 17:43
Thanks for the report.  I have opened to remove the obsolete MD5 key from the pubkeys file.  Until the updated file is deployed and the website page updated, another workaround may be to use the --allow-weak-digest-algos option of gpg:

gpg --import --allow-weak-digest-algos pubkeys.txt

In general, problems with the website should be reported on its issue tracker:
msg299431 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-28 19:51
P.S., the pubkeys.txt file on and the "OpenPGP Public Keys" section of have now been updated.
Date User Action Args
2022-04-11 14:58:49adminsetgithub: 75175
2017-07-28 19:51:27ned.deilysetmessages: + msg299431
2017-07-28 17:43:16ned.deilysetstatus: open -> closed

type: security ->

nosy: + ned.deily
messages: + msg299415
resolution: third party
stage: resolved
2017-07-22 15:53:23cwprogramcreate