classification
Title: Invalid PGP Key Prevents Archive Validation
Type: Stage: resolved
Components: Installation Versions: Python 3.6
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: cwprogram, ned.deily
Priority: normal Keywords:

Created on 2017-07-22 15:53 by cwprogram, last changed 2017-07-28 19:51 by ned.deily. This issue is now closed.

Messages (3)
msg298858 - (view) Author: Chris White (cwprogram) Date: 2017-07-22 15:53
When trying to validate the Python 3.6.1 tgz using the ASC file, I can't import all the keys due to the following error:

```
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key ED9D77D5: no valid user IDs
gpg: this may be caused by a missing self-signature
```

This is using Ubuntu 16.04 and gpg (GnuPG) 1.4.20, running the command

```
wget https://www.python.org/static/files/pubkeys.txt
gpg --import pubkeys.txt
```

If I take out the key ID manually out of the entire list and import the keys by their IDs instead it works.
msg299415 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-28 17:43
Thanks for the report.  I have opened https://github.com/python/pythondotorg/pull/1109 to remove the obsolete MD5 key from the pubkeys file.  Until the updated file is deployed and the website page updated, another workaround may be to use the --allow-weak-digest-algos option of gpg:

gpg --import --allow-weak-digest-algos pubkeys.txt

In general, problems with the python.org website should be reported on its issue tracker:

https://www.python.org/about/help/
https://github.com/python/pythondotorg/issues
msg299431 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-28 19:51
P.S., the pubkeys.txt file on python.org and the "OpenPGP Public Keys" section of https://www.python.org/downloads/ have now been updated.
History
Date User Action Args
2017-07-28 19:51:27ned.deilysetmessages: + msg299431
2017-07-28 17:43:16ned.deilysetstatus: open -> closed

type: security ->

nosy: + ned.deily
messages: + msg299415
resolution: third party
stage: resolved
2017-07-22 15:53:23cwprogramcreate