3.0.7: signature key-id 763629FEC8788FC35128B5F6EE029D1E5EB40300 not found #980
Comments
|
Indeed! I will fix it as soon as I can, which is when the travel ban in China is lifted. |
3.1.0 ===== * Switched back to using gitdb package as requirement (`gitdb#59 <https://github.com/gitpython-developers/gitdb/issues/59>`_) 3.0.9 ===== * Restricted GitDB (gitdb2) version requirement to < 4 * Removed old nose library from test requirements Bugfixes -------- * Changed to use UTF-8 instead of default encoding when getting information about a symbolic reference (`#774 <https://github.com/gitpython-developers/GitPython/issues/774>`_) * Fixed decoding of tag object message so as to replace invalid bytes (`#943 <https://github.com/gitpython-developers/GitPython/issues/943>`_) 3.0.8 ===== * Added support for Python 3.8 * Bumped GitDB (gitdb2) version requirement to > 3 Bugfixes -------- * Fixed Repo.__repr__ when subclassed (`#968 <https://github.com/gitpython-developers/GitPython/pull/968>`_) * Removed compatibility shims for Python < 3.4 and old mock library * Replaced usage of deprecated unittest aliases and Logger.warn * Removed old, no longer used assert methods * Replaced usage of nose assert methods with unittest 3.0.7 ===== Properly signed re-release of v3.0.6 with new signature (See `#980 <https://github.com/gitpython-developers/GitPython/issues/980>`_) 3.0.6 ===== | Note: There was an issue that caused this version to be released to PyPI without a signature | See the changelog for v3.0.7 and `#980 <https://github.com/gitpython-developers/GitPython/issues/980>`_ Bugfixes -------- * Fixed warning for usage of environment variables for paths containing ``$`` or ``%`` (`#832 <https://github.com/gitpython-developers/GitPython/issues/832>`_, `#961 <https://github.com/gitpython-developers/GitPython/pull/961>`_) * Added support for parsing Git internal date format (@<unix timestamp> <timezone offset>) (`#965 <https://github.com/gitpython-developers/GitPython/pull/965>`_) * Removed Python 2 and < 3.3 compatibility shims (`#979 <https://github.com/gitpython-developers/GitPython/pull/965>`_) * Fixed GitDB (gitdb2) requirement version specifier formatting in requirements.txt (`#979 <https://github.com/gitpython-developers/GitPython/pull/965>`_)
|
Version 3.1.1 was just released, signed with the known signature. I plan to establish a chain of trust with new keys in May to allow CI to produces packages automatically in future, thus removing the dependency on me or my key. |
|
Eh... sorry, but you are still referring to The only known key so far has been |
|
I don't know where the idea of me intentionally spreading false information is coming from, especially given the track record of this project with keys and their (mis)management. Often people are just making mistakes. Thanks for pointing out which key is the right one - now that I have two computers here, one with USB-C and my gpg configuration, and another one without gpg configuration but USB-A support, I should finally be able to add one and one together and sign with 2CF6E0B51AAF73F09B1C21174D1DA68C88710E60. Eventually I will manage to get it right. |
|
Ok, I tried and I failed with I have no idea what kind of massaging it wants to accept the configuration and the plugged-in USB-A key, and I think it's best to save the time to find out and postpone this to May. Then I will be back home with access to all the neat gadgets that allow me to use a USB-A key on a computer with USB-C ports only, but with a provably working gpg configuration. Apologies for the inconvenience this false alert may have caused, life is complicated sometimes :D |
Sorry, I did not mean that in an offensive way. It just got me running in a wrong direction this morning.
What were you trying to do? If you want to sign the new key |
|
No worries, all good! Please note that GitPython v3.1.2 was just released with the known signature. Regarding the failure - by now I don't even know what I tried to do there, but recall that all it presented was this nondescript error message. For now I am able to sign using the common keys and maybe one day I will manage to sign the new key (7636…) with the old one (2CF6…) and publish this to the key servers. Shouldn't be too hard, and it's certainly worth it to make this system more robust. Your suggestions on how to achieve this are highly appreciated as well in case you want to share useful tips and resources on how to do this properly. |
|
Closing in favor of #1055 |
Hi!
I'm currently trying to build 3.0.7 as a package for Arch Linux. It seems a new key was used for signing this release, but this is not mentioned in the release notes, nor can the key be found on any keyserver yet.
Please sign the new key
763629FEC8788FC35128B5F6EE029D1E5EB40300with the old key2CF6E0B51AAF73F09B1C21174D1DA68C88710E60and upload the new key (plus signature) to the keyservers, so a chain of trust can be established.In the current situation I feel not comfortable packaging this version.
In case you want to make sure that the key ends up on (all) key servers, you can use this script:
https://paste.xinu.at/axX1B9w/
The text was updated successfully, but these errors were encountered: