"Python-3.6.8.tar.xz is not signed with a valid key" on first build
I get a signature verification error with Python-3.6.8.tar.xz when building from a fresh tor-browser-build checkout. It happens only the first time; i.e., immediately after RBM has downloaded the file. If I restart the build a second time (with the file already downloaded), the signature is verified successfully.
Here is what I did:
git clone https://git.torproject.org/builders/tor-browser-build.git
cd tor-browser-build/
git checkout tbb-10.5.3-build1
apt install libyaml-libyaml-perl ... uidmap
make testbuild
After about one hour of building:
Finished build of project container-image - container-image_buster-amd64-0e6a23ac3383.tar.gz
Using file /root/tor-browser-build/out/container-image/container-image_buster-amd64-0e6a23ac3383.tar.gz
--2021-07-25 16:15:08-- https://www.python.org/ftp/python/3.6.8/Python-3.6.8.tar.xz.asc
Resolving www.python.org (www.python.org)... 2a04:4e42:a::223, 151.101.40.223
Connecting to www.python.org (www.python.org)|2a04:4e42:a::223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [application/octet-stream]
Saving to: '/root/tor-browser-build/tmp/tmp.v9B2N3gNGG'
/root/tor-browser-build/tmp/tmp.v9B2N3g 100%[=============================>] 833 --.-KB/s in 0s
2021-07-25 16:15:08 (52.8 MB/s) - '/root/tor-browser-build/tmp/tmp.v9B2N3gNGG' saved [833/833]
Error: File Python-3.6.8.tar.xz is not signed with a valid key
make: *** [Makefile:123: testbuild] Error 1
The signature looks correct when I verify it manually:
# sha256sum out/python/Python-3.6.8.tar.xz*
35446241e995773b1bed7d196f4b624dadcadc8429f26282e756b2fb8a351193 out/python/Python-3.6.8.tar.xz
a12c71354f74219893a51ea43939b1e0c0b88fdd173834f9bdcfca7c97bd23dc out/python/Python-3.6.8.tar.xz.asc
# gpg --verify out/python/Python-3.6.8.tar.xz.asc
gpg: assuming signed data in 'out/python/Python-3.6.8.tar.xz'
gpg: Signature made Mon 24 Dec 2018 03:07:36 AM UTC
gpg: using RSA key 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
gpg: Can't check signature: No public key
# gpg keyring/python.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2014-11-02 [SC]
0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
uid Ned Deily <nad@baybryj.net>
uid Ned Deily (Python release signing key) <nad@acm.org>
uid keybase.io/nad <nad@keybase.io>
sub rsa4096 2014-11-02 [E]
When I run make testbuild
a second time, it works:
Building project python - python-Debian-10-6790f8.tar.gz
Using file /root/tor-browser-build/out/container-image/container-image_buster-amd64-0e6a23ac3383.tar.gz
File Python-3.6.8.tar.xz is signed with id 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
Using file /root/tor-browser-build/out/python/Python-3.6.8.tar.xz
Build log: /root/tor-browser-build/logs/python-android-armv7.log
I can reproduce the error, without starting from a fresh tor-browser-build clone, by deleting out/python/Python-3.6.8.tar.xz*
.
Edited by David Fifield