setuptools icon indicating copy to clipboard operation
setuptools copied to clipboard

Published 20 hours ago verified publisher icon pypa

[BUG] Versions > 75.1.0 do not have a signed tag, preventing upgrade

Open dvzrv opened this issue 1 year ago • 6 comments

setuptools version

75.1.1

Python version

3.12

OS

Arch Linux

Additional environment information

No response

Description

For upstream source validation in systems packaging on Arch Linux we rely on pinned OpenPGP certificates. For this project we have pinned the OpenPGP certificate with the fingerprint CE380CF3044959B8F377DA03708E6CB181B4C47E, held by @jaraco.

We tried upgrading to setuptools > 75.1.0 and validate the tags using the above OpenPGP certificate but noticed that tags newer than 75.1.0 are no longer signed.

The tags 75.1.1, 75.2.0 and 75.3.0 can not be validated and we are not able to use them.

cc @polyzen @felixonmars

Expected behavior

Tags are signed by the OpenPGP key with the fingerprint CE380CF3044959B8F377DA03708E6CB181B4C47E.

How to Reproduce

  1. git clone https://github.com/pypa/setuptools && cd setuptools
  2. curl https://github.com/jaraco.gpg |gpg --import
  3. git verify-tag 75.1.0
  4. git verify-tag 75.1.1

Output

git clone https://github.com/pypa/setuptools && cd setuptools
Cloning into 'setuptools'...
remote: Enumerating objects: 74280, done.
remote: Counting objects: 100% (2191/2191), done.
remote: Compressing objects: 100% (1057/1057), done.
remote: Total 74280 (delta 1419), reused 1723 (delta 1125), pack-reused 72089 (from 1)
Receiving objects: 100% (74280/74280), 45.60 MiB | 23.30 MiB/s, done.
Resolving deltas: 100% (43865/43865), done.
curl https://github.com/jaraco.gpg |gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3922  100  3922    0     0  51059      0 --:--:-- --:--:-- --:--:-- 51605
gpg: key 708E6CB181B4C47E: "Jason R. Coombs <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

git verify-tag v75.1.0
gpg: Signature made 2024-09-16T14:38:27 CEST
gpg:                using RSA key CE380CF3044959B8F377DA03708E6CB181B4C47E
gpg: Good signature from "Jason R. Coombs <[email protected]>" [unknown]
gpg:                 aka "Jason R. Coombs <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CE38 0CF3 0449 59B8 F377  DA03 708E 6CB1 81B4 C47E
git verify-tag v75.1.1
error: no signature found

dvzrv avatar Nov 09 '24 19:11 dvzrv