Unable to verify Python files

[george]

Hello,

I'm trying to verify the downloaded Python 3.9.1 files before I install them...

I created a new folder and downloaded these two files to it:

Python-3.9.1.tar.xz
Python-3.9.1.tar.xz.asc

I also downloaded and imported the public key to verify the files.

According to the Python website in order to verify the download I need to run this command:

gpg --verify Python-3.9.1.tar.xz.asc

I get the following message when I run the command:

gpg: Signature made Mon 07 Dec 2020 03:37:32 PM MST
gpg: using RSA key E3FF2839C048B25C084DEBE9B26995E310250568
gpg: Can't check signature: No public key

When I run gpg --list-keys I see this key info:

pub rsa4096 2015-05-11 [SC] [expires: 2025-05-11]
E3FF2839C048B25C084DEBE9B26995E310250568
uid [ unknown] Łukasz Langa (GPG langa.pl) <[email protected]>
uid [ unknown] Łukasz Langa (Work e-mail account) <[email protected]>
uid [ unknown] [jpeg image of size 24479]
sub rsa4096 2015-05-11 [E] [expires: 2025-05-11]

Can you someone please explain to me why I'm getting the gpg: Can't check signature: No public key error?

Thank you

[george]

I'm still not able to figure out how to verify these files so any help would be greatly appreciated. Thanks.

[Larz60+]

you should probably be asking this question on https://python.org (the authors of python)

[snippsat]

Get public key.

G:\div_code
λ gpg --recv-keys B26995E310250568
gpg: requesting key 10250568 from hkp server keys.gnupg.net
gpg: key 10250568: public key "\xc5\x81ukasz Langa (GPG langa.pl) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Test.

G:\div_code
λ  gpg --verify Python-3.9.1.tgz.asc
gpg: assuming signed data in `Python-3.9.1.tgz'
gpg: Signature made Mon Dec  7 23:37:32 2020     using RSA key ID 10250568
gpg: Good signature from "\xc5\x81ukasz Langa (GPG langa.pl) <[email protected]>"
gpg:                 aka "\xc5\x81ukasz Langa <[email protected]>"
gpg:                 aka "\xc5\x81ukasz Langa (Work e-mail account) <[email protected]>"
gpg:                 aka "[jpeg image of size 24479]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E3FF 2839 C048 B25C 084D  EBE9 B269 95E3 1025 0568

Get a warning,but it's okay look at fingerprint.
So this dos not work for me to get public key from the specified server,that's why get warning.
But method over is okay.

G:\div_code
λ gpg --keyserver https://keybase.io/ambv/ --recv-keys B26995E310250568
gpg: requesting key 10250568 from https server keybase.io
gpgkeys: no key data found for https://keybase.io/ambv/
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: key not found
gpg: keyserver communications error: bad public key
gpg: keyserver receive failed: bad public key

Can let pyenv do all install,then it download directly from python.org/ftp/python
pyenv Simple Python Version Management

# Install
tom@tom:~$ pyenv install 3.8.1
Downloading Python-3.8.1.tar.xz...
-> https://www.python.org/ftp/python/3.8.1/Python-3.8.1.tar.xz
Installing Python-3.8.1...
Installed Python-3.8.1 to /home/tom/.pyenv/versions/3.8.1
 
# Set as system wide version
tom@tom:~$ pyenv global 3.8.1

# Test
tom@tom:~$ python
Python 3.8.1 (default, Feb 11 2020, 09:18:58) 
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> print(walrus := True)
True
>>> exit()

[george]

Verified and installed - thank you...

Get public key.

G:\div_code
λ gpg --recv-keys B26995E310250568
gpg: requesting key 10250568 from hkp server keys.gnupg.net
gpg: key 10250568: public key "\xc5\x81ukasz Langa (GPG langa.pl) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Test.

G:\div_code
λ  gpg --verify Python-3.9.1.tgz.asc
gpg: assuming signed data in `Python-3.9.1.tgz'
gpg: Signature made Mon Dec  7 23:37:32 2020     using RSA key ID 10250568
gpg: Good signature from "\xc5\x81ukasz Langa (GPG langa.pl) <[email protected]>"
gpg:                 aka "\xc5\x81ukasz Langa <[email protected]>"
gpg:                 aka "\xc5\x81ukasz Langa (Work e-mail account) <[email protected]>"
gpg:                 aka "[jpeg image of size 24479]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E3FF 2839 C048 B25C 084D  EBE9 B269 95E3 1025 0568

Get a warning,but it's okay look at fingerprint.
So this dos not work for me to get public key from the specified server,that's why get warning.
But method over is okay.

G:\div_code
λ gpg --keyserver https://keybase.io/ambv/ --recv-keys B26995E310250568
gpg: requesting key 10250568 from https server keybase.io
gpgkeys: no key data found for https://keybase.io/ambv/
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: key not found
gpg: keyserver communications error: bad public key
gpg: keyserver receive failed: bad public key

Can let pyenv do all install,then it download directly from python.org/ftp/python
pyenv Simple Python Version Management

# Install
tom@tom:~$ pyenv install 3.8.1
Downloading Python-3.8.1.tar.xz...
-> https://www.python.org/ftp/python/3.8.1/Python-3.8.1.tar.xz
Installing Python-3.8.1...
Installed Python-3.8.1 to /home/tom/.pyenv/versions/3.8.1
 
# Set as system wide version
tom@tom:~$ pyenv global 3.8.1

# Test
tom@tom:~$ python
Python 3.8.1 (default, Feb 11 2020, 09:18:58) 
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> print(walrus := True)
True
>>> exit()