Mercurial > p > roundup > code

annotate doc/security.txt @ 7430:bd5bebb11695

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add headers; make signature list multicolum
author John Rouillard <rouilj@ieee.org>
date Mon, 29 May 2023 19:28:38 -0400
parents 32bd5013bf32
children 1c291a05d90f
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 .. meta::
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 :description:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 Documentation on how to report security issues with
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4 Roundup. Also index to security related portions in other
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
5 Roundup documentation. How to verify distribution using gpg.
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 .. index::
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 single: Reporting Security Issues
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 single: Security Issues, Reporting
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
12 =======================
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
13 Roundup Security Issues
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
14 =======================
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16 Security issues with Roundup should be reported by email to:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18 rouilj@users.sourceforge.net (John Rouillard)
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19
7099
a3223f1966fc update to use ralf's preferred email address.
John Rouillard <rouilj@ieee.org>
parents: 7095
diff changeset
20 rsc@runtux.com (Ralf Schlatterbeck)
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
21
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
22 If these fail, you can find rouilj on irc in channel #roundup at
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
23 irc.oftc.net (see Contact_ for more directions and web
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
24 interface). Methods listed at Contact_ are all public, so they should
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
25 be used to contact somebody with the Roundup project for establishing
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
26 a proper method of reporting the security issue.
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
27
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
28 .. _Contact: https://www.roundup-tracker.org/contact.html
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
29
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
30 Verify Source Tarball
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
31 ---------------------
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
32
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
33 .. index::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
34 single: Distribution, verify with gpg
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
35 single: Signature, verify
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
36
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
37 If you download the source tarball using ``python3 -m pip download
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
38 roundup`` or from https://pypi.org/project/roundup/#files you can
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
39 verify the file using gpg.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
40
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
41 This is the information on the public PGP/GPG key used to sign Roundup
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
42 distributions. It is used to sign the 1.6.0, 2.2.0, and newer
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
43 releases. (Note that the @ sign in email addresses have been replaced
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
44 with the word "at" to reduce spam directed at the mailing list.)::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
45
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
46 Key info: Roundup Team (signing key for roundup releases)
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
47 <roundup-devel at lists.sourceforge.net>
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
48 Expires: 2028-07-17
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
49 Key fingerprint = 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
50
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
51 Releases 1.6.1, 2.0.0 and 2.1.0 were accidentally signed with this key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
52 [1]_::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
53
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
54 Key info: John Rouillard (Roundup Release Key)
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
55 <rouilj+roundup at ieee.org>
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
56 Expires: 2023-07-09
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
57 Key fingerprint = A1E6 364E 9429 E9D8 2B3B 2373 DB05 ADC4 2330 5876
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
58
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
59 .. [1] Use gpg to import this key from the keyserver pgp.mit.edu
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
60 if you need to verify one of these releases. Use the gpg
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
61 pgp.mit.edu keyserver example replacing the key fingerprint
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
62 with the one starting A1E6.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
63
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
64 Importing the Public Key
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
65 ~~~~~~~~~~~~~~~~~~~~~~~~
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
66
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
67 This only has to be added to your keyring once. You can import a key
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
68 from pgp.mit.edu using::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
69
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
70 gpg --keyserver pgp.mit.edu --receive-keys 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
71
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
72 where the fingerprint (without spaces) is used to identify which key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
73 to receive. You can also extract and import the file
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
74 ``tools/roundup.public.pgp.key`` from the download source tarball
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
75 using::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
76
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
77 tar -xzvf roundup-2.2.0.tar.gz -O \
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
78 roundup-2.2.0/tools/roundup.public.pgp.key > pub.key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
79
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
80 gpg --import pub.key
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
81
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
82 Once you have loaded the public key, you need a detached signature for
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
83 your release.
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
84
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
85
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
86 Download and Verify with Detached Signature
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
87 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
88
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
89 This needs to be done once for each release you wish to verify.
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
90
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
91 The Python Package Index (PyPI) used to support uploading gpg detached
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
92 signatures. However that is no longer supported and downloading
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
93 existing signatures may not work in the future.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
94
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
95 As a result, the signatures for all Roundup final releases starting
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
96 with 1.6.0 have been moved and are linked below:
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
97
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
98 .. rst-class:: multicol
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
99
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
100 * `2.2.0 <../signatures/roundup-2.2.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
101 * `2.1.0 <../signatures/roundup-2.1.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
102 * `2.0.0 <../signatures/roundup-2.0.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
103 * `1.6.1 <../signatures/roundup-1.6.1.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
104 * `1.6.0 <../signatures/roundup-1.6.0.tar.gz.asc>`_
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
105
7430
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
106 To use the signature, download the correct versioned link and verify
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
107 it with (note 1.5.7 is a dummy version, use the correct version
bd5bebb11695 add headers; make signature list multicolum
John Rouillard <rouilj@ieee.org>
parents: 7429
diff changeset
108 number)::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
109
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
110 gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
111
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
112 You should see::
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
113
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
114 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
115 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
116 gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" [unknown]
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
117 gpg: WARNING: This key is not certified with a trusted signature!
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
118 gpg: There is no indication that the signature belongs to the owner.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
119 Primary key fingerprint: 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
120
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
121 which verifies the tarball integrity. The WARNING is expected and the
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
122 date corresponds to the newest renewal of the Roundup key. As long as
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
123 you see the output starting with "Good signature from" followed by the
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
124 Key Info for your key, everything is OK.
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
125
7429
32bd5013bf32 Fix missed format changes.
John Rouillard <rouilj@ieee.org>
parents: 7428
diff changeset
126 If something is wrong you will see::
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
127
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
128 gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
129 gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
130 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
131
7429
32bd5013bf32 Fix missed format changes.
John Rouillard <rouilj@ieee.org>
parents: 7428
diff changeset
132 **do not use** the tarball if the signature is BAD. Email the
7428
186956a87ad7 issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
John Rouillard <rouilj@ieee.org>
parents: 7099
diff changeset
133 roundup-devel mailing list if you have this happen to you.
Roundup Issue Tracker: http://roundup-tracker.org/