For once I tried to verify a download from python.org, following the steps outlined at
https://www.python.org/downloads/#pubkeys """ You can import the release manager public keys by either downloading the public key file from here and then running gpg --import pubkeys.txt """ When I ran the command above I saw $ gpg --import pubkeys.txt gpg: Schlüssel 6F5E1540: "Ned Deily <[email protected]>" 2 neue Signaturen gpg: Schlüssel 6A45C816: "Anthony Baxter <[email protected]>" nicht geändert gpg: Schlüssel 36580288: "Georg Brandl (Python release signing key) <[email protected]>" 2 neue Signaturen gpg: Schlüssel 7D9DC8D2: "Martin v. Löwis <[email protected]>" nicht geändert gpg: Schlüssel 18ADD4FF: "Benjamin Peterson <[email protected]>" 3 neue Signaturen gpg: Schlüssel A4135B38: "Benjamin Peterson <[email protected]>" 1 neue Signatur gpg: Schlüssel A74B06BF: "Barry Warsaw <[email protected]>" 138 neue Signaturen gpg: Schlüssel EA5BBD71: "Barry A. Warsaw <[email protected]>" 6 neue Signaturen gpg: Schlüssel E6DF025C: "Ronald Oussoren <[email protected]>" nicht geändert gpg: Schlüssel F73C700D: "Larry Hastings <[email protected]>" 2 neue Signaturen gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <[email protected]>" 1 neue User-ID gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <[email protected]>" 20 neue Signaturen gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <[email protected]>" 8 neue Signaturen gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <[email protected]>" importiert gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <[email protected]>" importiert gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <[email protected]>" importiert gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <[email protected]>" importiert gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <[email protected]>" importiert gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <[email protected]>" importiert gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <[email protected]>" importiert [...] Now "totally legit" does sound like anything but "totally legit". Is there a problem with my machine, or python.org, or is this all "totally legit"? Advice or pointers welcome. -- https://mail.python.org/mailman/listinfo/python-list
