Issue 2551279
Created on 2023-05-29 01:29 by rouilj, last changed 2023-05-29 22:42 by rouilj.
|
| msg7777 |
Author: [hidden] (rouilj) |
Date: 2023-05-29 01:29 |
|
https://discuss.python.org/t/gpg-signature-support-removed-from-pypi/27014
announces removal of GPG/PGP signatures being uploaded to pypi.
The RELEASE.txt document describes how to upload it. Doc needs to be rewritten
to remove upload to PyPI and a new place for the detached signatures:
* part of www.roundup-tracker.org doc/security.html page
* some downloadable location (docs/release-signature/v2.3.0??)
use the security.htm page as index to the download locations???
needs to decided on and documented.
Update directions on how to verify the source tarball located in
tools/roundup.public.pgp.key.
Also update security.txt to include the location of the roundup project public key in
tools/roundup.public.pgp.key.
Also there is an earlier version of the key on pgp.mit.edu. It needs to be updated.
I tried this evening by uploading the pgp part of tools/roundup.public.pgp.key, but
searching immediately after still returned the key that expires in 2023 not the new key that
expires in 2028.
|
| msg7780 |
Author: [hidden] (rouilj) |
Date: 2023-05-29 22:42 |
|
Signatures from 1.6 onward will be published at www.roundup-tracker.org/signatures.
The index for the keys is in security.html.
Verification directions moved to security.html. tools/roundup.public.pgp.key now
references the security.html document. Directions include verifying using the
alternate key (from pgp.mit.edu) that was accidently used for signing a number
of releases.
The updated roundup signing key is being retrieved by gpg --keyserver pgp.mit.edu
--receive-keys <roundup key fingerprint>.
changeset: 7428:186956a87ad7
|
|
| Date |
User |
Action |
Args |
| 2023-05-29 22:42:38 | rouilj | set | status: new -> fixed
assignee: rouilj
resolution: fixed
messages:
+ msg7780 |
| 2023-05-29 01:29:21 | rouilj | create | |
|