issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.

Added/updated documentation on using gpg signature files for the
distribution to security.txt.

Added signature files to main website/mercurial.

Removed verification documentation from public key file included in
distribution. key file now references security.txt/.html.

Author: rouilj

CHANGES.txt

@@ -16,6 +16,7 @@ python 3.6 or newer (3.4/3.5 might work, but they are not tested).
 
 Fixed:
 
+- Updated directions for verifying Roundup distribution using pgp.
 - Dockerfile healthcheck fixed so it works when trackers are
   specified on command line. Also cleanup of unneeded
   packages. (John Rouillard)

RELEASE.txt

@@ -138,41 +138,43 @@ Roundup release checklist:
     pypi account and be added as a maintainer to roundup. Ask existing
     maintainer for access. You can do this two ways:
 
-      python3 setup.py sdist upload --repository pypi --sign
+      python3 setup.py sdist upload --repository pypi
 
     which rebuilds the source distribution tarball and uploads it.
-    This means that you have uploaded something tha is not tested. It
-    should be the same as the tarball you tested but....
+    This means that you have uploaded something that is not tested,
+    also it does not have a gpg signature. It should be the same as
+    the tarball you tested but....
 
-    Another way to do this is to use twine (pip install twine).
+    A better way to do this is to use twine (pip install twine).
     You need to sign the tarball. This can be done with:
 
       cd dist
       gpg --detach-sign --armor -u 1F2DD0CB756A76D8 <filename>.tgz
 
     you should be prompted to use the roundup release key. If not you
     can add  [email protected].
-    This will create a file by the name <filename>.tgz.asc. Then
-    use twine to upload *both* the asc and distibution tarball
-    at the same time. E.G.:x
+    This will create a file by the name <filename>.tgz.asc.
+    The original directions used twine to upload the tarball and the
+    signature, but as of May 2023, PyPI no longer accepts signature
+    files.
 
-       twine upload --repository pypi <filename>.tar.gz <filename>.tar.gz.asc
+    So we publish the signature as part of the website. Move the file
+    to the website/www/signatures directory. Commit the .asc signature
+    file to mercurial.
 
-    (If you upload the .asc file separately from the distibution file
-    it gets a different path and is not able to be located in the pypi
-    interface. The asc file is downloaded using the tarball path and
-    add `asc'.)
+    Use twine to upload the distribution tarball. E.G.
+
+       twine upload --repository pypi <filename>.tar.gz
 
     The distribution file should appear on
     https://pypi.python.org/pypi/roundup in no time. If you are using
     python older than 2.7.13 you need a .pypirc shown below since the
-    URL has changed. If using 2.7.13 or newer, you can remove the
-    "--repository pypi" option and use 'setup.py sdist upload...'.
+    URL has changed.
 
     You can also use twine to upload the .whl (wheel) format
     distributions (if created). Follow the directions for generating
-    the gpg asc files and upload the .whl distribution and .whl.asc
-    signature files together.
+    the gpg asc files and place the .whl.asc in the signature
+    directory.
 
 14. Refresh website.
       website/README.txt

doc/security.txt

@@ -2,26 +2,117 @@
     :description:
         Documentation on how to report security issues with
         Roundup. Also index to security related portions in other
-        Roundup documentation.
+        Roundup documentation. How to verify distribution using gpg.
 
 .. index::
    single: Reporting Security Issues
    single: Security Issues, Reporting
 
 
-======================================
-Reporting Security Issues with Roundup
-======================================
+=======================
+Roundup Security Issues
+=======================
 
 Security issues with Roundup should be reported by email to:
 
    [email protected]  (John Rouillard)
 
    [email protected] (Ralf Schlatterbeck)
 
-Also you can find rouilj on irc in channel #roundup at irc.oftc.net (see
-Contact_ for more directions and web interface).
-
-Use these mechanisms to establish initial contact.
+If these fail, you can find rouilj on irc in channel #roundup at
+irc.oftc.net (see Contact_ for more directions and web
+interface). Methods listed at Contact_ are all public, so they should
+be used to contact somebody with the Roundup project for establishing
+a proper method of reporting the security issue.
 
 .. _Contact: https://www.roundup-tracker.org/contact.html
+
+Verify Source Tarball
+---------------------
+
+.. index::
+   single: Distribution, verify with gpg
+   single: Signature, verify
+
+If you download the source tarball using ``python3 -m pip download
+roundup`` or from https://pypi.org/project/roundup/#files you can
+verify the file using gpg.
+
+This is the information on the public PGP/GPG key used to sign Roundup
+distributions.  It is used to sign the 1.6.0, 2.2.0, and newer
+releases. (Note that the @ sign in email addresses have been replaced
+with the word "at" to reduce spam directed at the mailing list.)::
+
+  Key info: Roundup Team (signing key for roundup releases)
+      <roundup-devel at lists.sourceforge.net>
+  Expires: 2028-07-17
+  Key fingerprint = 411E 354B 5D1A F261 25D6  2122 1F2D D0CB 756A 76D8
+
+Releases 1.6.1, 2.0.0 and 2.1.0 were accidentally signed with this key
+[1]_::
+
+  Key info: John Rouillard (Roundup Release Key)
+      <rouilj+roundup at ieee.org>
+  Expires: 2023-07-09
+  Key fingerprint =  A1E6 364E 9429 E9D8 2B3B 2373 DB05 ADC4 2330 5876
+
+.. [1] Use gpg to import this key from the keyserver pgp.mit.edu
+       if you need to verify one of these releases. Use the gpg
+       pgp.mit.edu keyserver example replacing the key fingerprint
+       with the one starting A1E6.
+
+You can import a key from pgp.mit.edu using::
+
+   gpg --keyserver pgp.mit.edu --receive-keys 411E354B5D1AF26125D621221F2DD0CB756A76D8
+
+where the fingerprint (without spaces) is used to identify which key
+to receive. You can also extract and import the file
+``tools/roundup.public.pgp.key`` from the download source tarball
+using::
+
+  tar -xzvf roundup-2.2.0.tar.gz -O \
+     roundup-2.2.0/tools/roundup.public.pgp.key > pub.key
+
+  gpg --import pub.key
+
+Once you have loaded the public key, you need a detached signature for
+your release. PyPI used to support uploading gpg detached
+signatures. However that is no longer supported and downloading
+existing signatures may not work in the future.
+
+As a result, the signatures for all Roundup final releases starting
+with 1.6.0 have been moved and are linked below:
+
+* `2.2.0 <../signatures/roundup-2.2.0.tar.gz.asc>`_
+* `2.1.0 <../signatures/roundup-2.1.0.tar.gz.asc>`_
+* `2.0.0 <../signatures/roundup-2.0.0.tar.gz.asc>`_
+* `1.6.1 <../signatures/roundup-1.6.1.tar.gz.asc>`_
+* `1.6.0 <../signatures/roundup-1.6.0.tar.gz.asc>`_
+
+To use it, download the correct versioned link and verify it with
+(note 1.5.7 is a dummy version, use the correct version number)::
+
+  gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz
+
+You should see::
+
+  gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
+  gpg:                using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
+  gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" [unknown]
+  gpg: WARNING: This key is not certified with a trusted signature!
+  gpg:          There is no indication that the signature belongs to the owner.
+  Primary key fingerprint: 411E 354B 5D1A F261 25D6  2122 1F2D D0CB 756A 76D8
+
+which verifies the tarball integrity. The WARNING is expected and the
+date corresponds to the newest renewal of the Roundup key. As long as
+you see the output starting with "Good signature from" followed by the
+Key Info for your key, everything is OK.
+
+If something is wrong you will see:
+
+  gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT
+  gpg:                using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8
+  gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"
+
+*do not use* the tarball if the signature is BAD. Email the
+roundup-devel mailing list if you have this happen to you.

tools/roundup.public.pgp.key

@@ -1,51 +1,9 @@
-This is the public PGP/GPG key used to sign Roundup distributions.  It
-is used starting with the 1.6.0 release. (Note in this file the @ sign
-in emails have been replaced with the word "at".)
+This is the public PGP/GPG key used to sign Roundup distributions.
+See the Security document at:
 
-Key info: Roundup Team (signing key for roundup releases)
-    <roundup-devel at lists.sourceforge.net>
-RSA key ID: 756A76D8
-Expires: 2028-07-17
-Key fingerprint = 411E 354B 5D1A F261 25D6  2122 1F2D D0CB 756A 76D8
+   https://www.roundup-tracker.org/docs/security.html
 
-Import the key in this file using:
-
-   gpg --import roundup.public.pgp.key
-
-Then you can use it to verify a downloaded Roundup release from pypi.
-Get the url of the release from:
-
-  https://pypi.org/project/roundup
-
-Example (note there is no 1.5.7 release):
-
-  https://files.pythonhosted.org/packages/bf/14/d61fac5ed2aaca8c720ac4d4077428b8fdafa356089516ba9ee630975d2a/roundup-1.5.7.tar.gz
-
-download the file then download:
-
-  https://files.pythonhosted.org/packages/bf/14/d61fac5ed2aaca8c720ac4d4077428b8fdafa356089516ba9ee630975d2a/roundup-1.5.7.tar.gz.asc
-
-(same url as the file with .asc added at the end).
-
-To verify the tar file run:
-
-  gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz
-
-and you should see:
-
-  gpg: Signature made Wed 11 Jul 2018 08:40:06 PM EDT using RSA key ID 756A76D8
-  gpg: checking the trustdb
-  [...]
-  gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"
-  [...]
-
-which verifies the tarball integrity. If something is wrong you will see:
-
-  gpg: Signature made Wed 11 Jul 2018 08:40:06 PM EDT using RSA key ID 756A76D8
-  gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"
-
-*do not use* the tarball if the signature is BAD. Email the
-roundup-devel mailing list if there is a problem.
+for details on how to use it.
 
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 

website/www/Makefile

@@ -29,6 +29,7 @@ html: docs
 	sed -i -e '/<meta/s/og\\:/og:/' \
              -e '/<meta/s/name="og:/property="og:/' html/index.html
 	cp robots.txt html/robots.txt
+	mkdir html/signatures && cp signatures/*.asc html/signatures
 
 linkcheck:
 	mkdir -p $(TMP)/linkcheck $(TMP)/doctrees

website/www/signatures/roundup-1.6.0.tar.gz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABAgAGBQJbSI1TAAoJEB8t0Mt1anbYSFsQAJvj4+piuyY51RTl7nbk+qKD
+aDwmlvNL/FcBlc9PmzCk71woUg8+IPVFqeCYGPj/dKieKivCaLTnwkNDEsYdBe5h
+08L50WOVMPPNEsLVI+j7q6BO9dVK+XE5zqNMub8JfcCf0A8emvruZskVoin5Pju+
+Vpge95yfBjOi+bfV8k0KjBjN+l/Ih1VzvER3YGmuMXhnP+nQaGlZ0i5lIphQDGeV
+zrqtBXwBETJ0vPQNmc+x6RjhD1Uwfe3Qm3IimfvwmKo4EfasJOlhycSYMZ2CUEWN
+3tSi3uKsZHAs+5Ya+MywLrO8IkQYFW3NVM3CK7ZWFH7uL3dgUP1Ui4L/LtnjMq/6
+4Oa4NsEeKmHmfmQOceLoqZ0zPLrJZpt+FW/bPtnDnNtDAwLJcvK6+9tCZnYKlajh
+iDWKNIOJWauyfub1l75znsDmrpoU5K/9ISxlG7lIUMWjMBQoPcMy3JUr6jEtE2zb
+Rwm6Tst/E97ZL3xg/jBY8OgpOj9cgpqV8WtUBRumdpD3C93vPgBCeKcdR6wQ7G0d
+LLm4gxlseX9FGOdsUShpC6aEegatX15t/sstZE+b/WYdu0hgF2wPh9ERnfis3eAz
+Xof+shdZliJH+HNfPaTbQjhgqUJ8Aiur/AfT/4NjtiwS7wVvuguJ1vpU59yMEppM
+yEExU26bxUuHoajAmpAW
+=lrME
+-----END PGP SIGNATURE-----

website/www/signatures/roundup-1.6.1.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJdKdmzAAoJENsFrcQjMFh2o28L/iSCGofdtHXiM2GVjyaHYudL
+9KCptcZX0XHZliVevVXiAbHVegpG2nnt2EhW2uv3AxJFJysDg+nVQIRWZlwvuw8I
+3jk+sQAjSesOkOHGwUy/G9lZzAqI9L6cWB/HedNL9pUznA4akF/Xv9RIo7V5T1Ph
+uVpvuDtxD6DF7EaymBo+LVCZQjH1loff3YYGJcJj97785jglphuTbLuS0o0dtR0s
+ZfT8jwfuGgJWKN+5eL0ieda+5K+e8XRG7VUx5TGnDkmKbHWtEH+6ZjSKjRi0b1oH
+LCNqHe4No9WgrIhWUgEQNe4EbVoFGqE0B8RJom4kAolMd8uH8z+KutisPGET9H/b
+3rhOTq9cGN5IAmo5l3gteSLD+S28UbjKXneN9ycqGABug2CjZV8HzfexxCr7UI20
+XHsDQNnPv+BKcOzImrmqcWoao7kKbeQ+4RYfVokUGNCiWAZmwvqGoiF1E9lAhyes
+V7tepsvWy1640nxAdQD8/W+E3dpK4kKqjRtOEgQNcg==
+=eJeY
+-----END PGP SIGNATURE-----

website/www/signatures/roundup-2.0.0.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEEoeY2TpQp6dgrOyNz2wWtxCMwWHYFAl8MXlcACgkQ2wWtxCMw
+WHYbcQv/RlIQFEQqSorZ/+SEuv8txmwBWmizASIhvbvlS4Nfjx7RnAjAI0PFEaJI
+F6sqDjBCQhv6SI4t4Z1RVT/0Btt9DOThrDECc2dwMZaoIzUqmulN19l/ATrk7imq
+NkZ2KwACUtQA0YGJXcqi6wUsJBbFcuZSDdxHfzQ5UO1Myk37UXvQ01GLuPj6RppG
+MwmdTEcDI9souxEQWQQtEEWa6mvbVG0yVMUTevXrws0TqGWV/k8x1mIlpyaebCSx
+DXmmnuYnyTbDS3Yx9Rh+wJNuEEQM8P0/kj9DsNzGMd+941ckgyIk7v9M1OPl8FyM
+M0J2dlVVsJPUOrdiI/U/Y9jNFPde+3kUnX+24Nj3UZgzKk3stLRKer6oLM4YphjG
+Kq3p7FE2tmT0iQdyvQ1fiE1AOleslr/CErku42UD/CGfdOnpx3UzFCCpao7pesYY
+3XMfwwIjXMoCd4OjLS4D4FQljpnSuNVT0JW1UPtsfWrSycMoxPtFVg6a2ASQ7Ej8
+TVNkZi0X
+=2xhu
+-----END PGP SIGNATURE-----

website/www/signatures/roundup-2.1.0.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEEoeY2TpQp6dgrOyNz2wWtxCMwWHYFAmDtEooACgkQ2wWtxCMw
+WHZyowv/Z1kL4coSM661C7nQOQU/N5UBc7WfDPreLgmA1htONhTAxDstSN0TDmQu
+mYIRaYiO50iHYcUpEwrVy3tPgk3wT8XjpoVmCsuJhREeED502q3BYC6uzyfBeKWe
+QxvDa5+usMrw1jJpVXUYyfSOvC9MlBea5ZOwrlwsFeeoXli6RjZLzqotOjFmRrha
+/lUNRGJsIy5Tn5XIq3g8xCmOpqAYiraR4rz95QJ1yZIiP5mACVQ8ZHr58qmlPyHw
+qO7C4YYOSSSwaLqutvixlLyP5+L7CJtQQT3lcCEgwG9CoSxZmg/SkV0GlyDq8VV7
+cqvP1LG+VwO3RWH9RH08mc5KnIIX6GmY8V9f6AZ6oHCRC31TKMvs7lW1xZ5YiOIT
+Ao+qTKcEUkq97PbHFMeT7lNJePLL5gG1jtcK2BrDae3Ro2tLtwIMN6oAg6FPzDib
+kFNzl2mUcti3GDj6VP+Qz8LS9KEq7F4TvfKC3ZgyPcsFsxw7l03tj3DUphmK/Emd
+Jt/KxEVd
+=IqQw
+-----END PGP SIGNATURE-----

website/www/signatures/roundup-2.2.0.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEQR41S10a8mEl1iEiHy3Qy3VqdtgFAmLOSO4ACgkQHy3Qy3Vq
+dthDlA//RFpw6qqlzW0tpam8Y/Sg5xyk8uuon/UUgjBBNv4pWJsg93aWRVLsBLQt
+2UuXSx4KuO46tX62mCo4wy7N93a0BMTuSu0UZX9svSbEudANj6mIWHOJd1CiBs6H
+eS1l0xJs/barIt1bP7mDY1vPMxb2Y0LFMAoZU8l938RUtoRQQt5kXHJJQbasM4J7
+pQjT/lXtD6vVKAcactfQKj+HdVhgt97ZP1ANFBB9rUrwa+b6E4peIgO61ueXKAtv
+GFQyKS2pv7khgw3VF0DB09JdyksAUr7Opj0p8mlK+s8l7ttjQ0ecPx8gpHv8Cgjr
+ZsaR1mH1tW/RPoOc70w86AQ07+kNrnPN/3ox62fO1ZjJo/ase3+ynS4p6WuM34l3
+hwDs989eJ+8oYdm8v2bk+jCHA8sGluC1y/YnpLG6LTn1ubrSBx1wTdvYMthZUlmn
+l9lNwCIrKzhS1jrDZZ2dTBcLpsB5fXi+q5hPCKgtWcDyzXD5EFtaTA1XGr3dMh/0
+jSoguw+vx3xE6EuAwoB2n+noUcZpoqwNGOhw7o15fOD8HZnGYn77i3z2SwW4TZhM
+JmKaTELAHotPXx6DGSkNfrxLLoLg0/UlqS1Ur2CTVBesueIwcGVET1XW1n9qt2Jp
+8MdN8tNofaThvWWz2WKkbJScRlGf9a/AkZT2iTQA/hRYNP66CU0=
+=XiE+
+-----END PGP SIGNATURE-----