1.1.8 has BAD gpg signature on pypi.org

[LocutusOfBorg]

Hello,

gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'borgbackup-1.1.8.tar.gz'
gpg: Signature made dom 09 dic 2018 03:37:30 CET
gpg:                using RSA key 2F81AFFBAB04E11FE8EE65D4243ACFA951F78E01
gpg:                issuer "tw@waldmann-edv.de"
gpg: BAD signature from "Thomas Waldmann <tw@waldmann-edv.de>" [unknown]

This prevents me from uploading in Debian :)

[LocutusOfBorg]

Well, I'll upload because it matches what is in the upstream git, but please fix the signature :)

[ThomasWaldmann]

@LocutusOfBorg congrats, you're the first to actually notice and report that!

I messed this up when doing the upload to pypi and having only a half-working gpg setup (seems like the qubes os gpg-client[-wrapper] is not fully compatible to gpg). So I tried to work around this by doing it in 2 steps, but the sig from step 1 did not match the binary from step 2...

I tried to fix this, but pypi does not let me upload the same version again.

I uploaded the same release archive as on pypi also to github releases and put a valid signature there.

As there seems to be nothing automatically checking these signatures when installing from pypi, I thought I'll just wait and see whether somebody will complain.

So, how did you find it, did you check manually or was it some tool checking the sig from pypi?

[LocutusOfBorg]

My upgrade workflow is:
go on debian borgbackup git repo.
merge my history with the upstream one (upstream tag)
call "uscan" to grab from pypi the orig tarball, and import it with the tag.
(this seems difficult, but it is a matter of git fetch, uscan and gbp import orig).
Update/upload/test whatever.

Recent "uscan" releases, automatically checks for signatures with this regex

version=4
opts=uversionmangle=s/(rc|a|b|c)/~$1/,pgpsigurlmangle=s/$/.asc/ \
https://pypi.debian.net/borgbackup/borgbackup-(.+)\.(?:zip|tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))

so, noticing is not just luck, but a new way introduced some years ago in Debian to check for files consistency

we are not using this method [1] to check for authenticity :)
[1] https://xkcd.com/1181/

[LocutusOfBorg]

feel free to close, I already have uploaded in Debian!

[ThomasWaldmann]

guess i'll keep the issue open just in case someone else is wondering - until 1.1.9 is released.

[lfam]

I used to check the signatures from PyPi but recently the PyPi site stopped showing the signature files in the web-based download interface. [0] How do you even know how to download them now?

I know that PyPi wanted to stop supporting PGP, and I didn't realize anyone was still uploading them.

[0] https://pypi.org/project/borgbackup/#files
pypi/warehouse#3356

[ThomasWaldmann]

It is same url as the archive file + .asc.

[ThomasWaldmann]

TODO: update release docs:

• sign the sdist manually
• switch to https://pypi.org/project/twine/ for uploading sdist and signature

[ThomasWaldmann]

the release workflow now uses twine to avoid this kind of issue. so nothing to do here left.

just keeping it open until 1.1.9 release in case somebody is wondering about the bad signature.

[ThomasWaldmann]

1.1.9 is coming soon, closing this.