Missing chain of trust for release 3.3.5
Hi! When trying to upgrade to 3.3.5 I ran into a different PGP key being used for the release.
With mailman < 3.3.5 the key with the ID 541EA0448453394FF77A0ECC9D9B2BA061D0A67C
has been used to sign the sdist tarball uploaded to pypi.org
With mailman == 3.3.5 the key with the ID 891C60724B58650CB1C4A6030D35F23FF689B708
has been used to sign the sdist tarball uploaded to pypi.org.
There is no trust path between these two keys, as I could not find a cross-signature:
gpg --list-signatures 891C60724B58650CB1C4A6030D35F23FF689B708
pub dsa3072 2016-02-15 [SC]
891C60724B58650CB1C4A6030D35F23FF689B708
uid [ unknown] Abhilash Raj
sig 3 0D35F23FF689B708 2016-02-15 Abhilash Raj
sub elg3072 2016-02-15 [E]
sig 0D35F23FF689B708 2016-02-15 Abhilash Raj
gpg --list-signatures 541EA0448453394FF77A0ECC9D9B2BA061D0A67C
pub rsa4096 2014-09-22 [SC] [expires: 2024-09-19]
541EA0448453394FF77A0ECC9D9B2BA061D0A67C
uid [ unknown] Abhilash Raj <raj.abhilash1@gmail.com>
sig 2EA76B9C2B466D9D 2016-06-04 John Hawley ("Warthog9") <warthog9@eaglescrag.net>
sig C00FBE2D92192788 2016-06-04 Arc Riley <arcriley@gmail.com>
sig 3 9D9B2BA061D0A67C 2016-09-05 Abhilash Raj <raj.abhilash1@gmail.com>
sig 3 9D9B2BA061D0A67C 2014-09-22 Abhilash Raj <raj.abhilash1@gmail.com>
uid [ unknown] Abhilash Raj <maxking@asynchronous.in>
sig 2EA76B9C2B466D9D 2016-06-04 John Hawley ("Warthog9") <warthog9@eaglescrag.net>
sig C00FBE2D92192788 2016-06-04 Arc Riley <arcriley@gmail.com>
sig 3 9D9B2BA061D0A67C 2016-09-05 Abhilash Raj <raj.abhilash1@gmail.com>
sig 3 9D9B2BA061D0A67C 2015-04-16 Abhilash Raj <raj.abhilash1@gmail.com>
sub rsa4096 2014-09-22 [E] [expires: 2024-09-19]
sig 9D9B2BA061D0A67C 2014-09-22 Abhilash Raj <raj.abhilash1@gmail.com>
@maxking please shed some light on this, as it is not easy from the outside to ascertain whether a supply-chain-attack is in motion.
If 891C60724B58650CB1C4A6030D35F23FF689B708
is indeed your key, pleas provide a signature for it (using 541EA0448453394FF77A0ECC9D9B2BA061D0A67C
).