search

BusKill / buskill-app

BusKill's main CLI/GUI app for arming/disarming/configuring the BusKill laptop kill cord
https://www.buskill.in
GNU General Public License v3.0
154 stars 22 forks source link

Fix Builds (python_gnupg-0.5.2-py2.py3-none-any.whl.asc 404 not found) #78

Closed maltfield closed 2 months ago

maltfield commented 7 months ago

Describe the bug Currently it's not possible to build the BusKill app due to gpg signing issues with the python-gnupg dependency

To Reproduce I've tested this on Linux, but it should be an issue on all platforms

Steps to reproduce the behavior:

Execute the following on Debian 11

sudo su -
sudo apt-get install git
git clone https://github.com/BusKill/buskill-app.git
cd buskill-app/
build/linux/debianWrapper.sh

You'll get the following error

user@buskill:~/sandbox/buskill-app$ build/linux/debianWrapper.sh 
...
Successfully installed Kivy-1.11.1 Kivy-Garden-0.1.4 certifi-2020.6.20 chardet-3.0.4 docutils-0.16 idna-2.10 pygments-2.6.1 requests-2.24.0 urllib3-1.25.9
++ mktemp -d
+ tmpDir=/tmp/tmp.TxQFtmxBry
+ chown _apt:root /tmp/tmp.TxQFtmxBry
+ chmod 0770 /tmp/tmp.TxQFtmxBry
+ pushd /tmp/tmp.TxQFtmxBry
+ /bin/su _apt -s /bin/bash -c '/tmp/kivy_appdir/AppRun -m pip download python-gnupg'
/tmp/tmp.TxQFtmxBry ~/buskill-app
WARNING: The directory '/nonexistent/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting python-gnupg
  Downloading python_gnupg-0.5.2-py2.py3-none-any.whl (20 kB)
  Saved ./python_gnupg-0.5.2-py2.py3-none-any.whl
Successfully downloaded python-gnupg
WARNING: You are using pip version 20.1.1; however, version 24.0 is available.
You should consider upgrading via the '/tmp/kivy_appdir/opt/python3.7/bin/python3.7 -m pip install --upgrade pip' command.
++ head -n1
++ ls -1
+ filename=python_gnupg-0.5.2-py2.py3-none-any.whl
++ /bin/su _apt -s /bin/bash -c 'curl -s https://pypi.org/simple/python-gnupg/'
++ grep -oE 'https://.*python_gnupg-0.5.2-py2.py3-none-any.whl#'
++ sed s/#/.asc/
+ signature_url=https://files.pythonhosted.org/packages/5f/86/18938c2378a8c8284910308b93e2bc521a965ced4ca028947e1ffa6e98dc/python_gnupg-0.5.2-py2.py3-none-any.whl.asc
+ /bin/su _apt -s /bin/bash -c 'wget "https://files.pythonhosted.org/packages/5f/86/18938c2378a8c8284910308b93e2bc521a965ced4ca028947e1ffa6e98dc/python_gnupg-0.5.2-py2.py3-none-any.whl.asc"'
--2024-02-26 01:35:40--  https://files.pythonhosted.org/packages/5f/86/18938c2378a8c8284910308b93e2bc521a965ced4ca028947e1ffa6e98dc/python_gnupg-0.5.2-py2.py3-none-any.whl.asc
Resolving files.pythonhosted.org (files.pythonhosted.org)... 199.232.44.223, 2a04:4e42:48::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|199.232.44.223|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-02-26 01:35:42 ERROR 404: Not Found.

+ mkdir gnupg
+ chmod 0700 gnupg
+ popd
+ gpg --homedir /tmp/tmp.TxQFtmxBry/gnupg --import build/deps/python-gnupg.asc
~/buskill-app
gpg: keybox '/tmp/tmp.TxQFtmxBry/gnupg/pubring.kbx' created
gpg: /tmp/tmp.TxQFtmxBry/gnupg/trustdb.gpg: trustdb created
gpg: key 9147B477339A9B86: public key "Vinay Sajip (CODE SIGNING KEY) <vinay_sajip@yahoo.co.uk>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ gpgv --homedir /tmp/tmp.TxQFtmxBry/gnupg --keyring /tmp/tmp.TxQFtmxBry/gnupg/pubring.kbx /tmp/tmp.TxQFtmxBry/python_gnupg-0.5.2-py2.py3-none-any.whl.asc /tmp/tmp.TxQFtmxBry/python_gnupg-0.5.2-py2.py3-none-any.whl
gpgv: can't open '/tmp/tmp.TxQFtmxBry/python_gnupg-0.5.2-py2.py3-none-any.whl.asc': No such file or directory
gpgv: verify signatures failed: No such file or directory
ERROR: Invalid PGP signature!
+ [[ 2 -ne 0 ]]
+ echo 'ERROR: Invalid PGP signature!'
+ exit 1
+ chown -R user dist
+ exit 0
+ exit 0
user@buskill:~/sandbox/buskill-app$

Expected behavior The build should be able to verify the authenticity of the python_gnupg package and proceed with building the BusKill app

maltfield commented 7 months ago

In the past, we've had build issues due to the verification of this same python_gnupg python module, but only on MacOS

  1. https://github.com/BusKill/buskill-app/issues/70
  2. https://github.com/BusKill/buskill-app/issues/72

In the above issues, the issue was a tooling issue with the availability of curl/wget on MacOS.

But in this case, it appears that the file actually has disappeared from the server. I cannot fetch it, for example, on my local machine

user@buskill:~$ wget https://files.pythonhosted.org/packages/5f/86/18938c2378a8c8284910308b93e2bc521a965ced4ca028947e1ffa6e98dc/python_gnupg-0.5.2-py2.py3-none-any.whl
--2024-02-25 22:08:59--  https://files.pythonhosted.org/packages/5f/86/18938c2378a8c8284910308b93e2bc521a965ced4ca028947e1ffa6e98dc/python_gnupg-0.5.2-py2.py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.124.223, 2a04:4e42:1e::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.124.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20964 (20K) [binary/octet-stream]
Saving to: ‘python_gnupg-0.5.2-py2.py3-none-any.whl’

python_gnupg-0.5.2- 100%[===================>]  20.47K  --.-KB/s    in 0.02s   

2024-02-25 22:09:00 (868 KB/s) - ‘python_gnupg-0.5.2-py2.py3-none-any.whl’ saved [20964/20964]

user@buskill:~$ 

user@buskill:~$ wget https://files.pythonhosted.org/packages/5f/86/18938c2378a8c8284910308b93e2bc521a965ced4ca028947e1ffa6e98dc/python_gnupg-0.5.2-py2.py3-none-any.whl.asc
--2024-02-25 22:09:03--  https://files.pythonhosted.org/packages/5f/86/18938c2378a8c8284910308b93e2bc521a965ced4ca028947e1ffa6e98dc/python_gnupg-0.5.2-py2.py3-none-any.whl.asc
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.124.223, 2a04:4e42:1e::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.124.223|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-02-25 22:09:04 ERROR 404: Not Found.

user@buskill:~$
maltfield commented 7 months ago

I checked the package's page on the PyPI project's website. If there's a newer version, then it might make sense that the archived version somehow got orphaned from its signature? If so, it's a bug that we should report

Anyway, it appears that the version hasn't changed since the one we pegged as a dependency. The latest version is still v0.5.2

maltfield commented 7 months ago

I was digging through my notes and found that my old link to hash checking in PyPI is stale

The above link points to a new location which, after some digging, brings you here

Woah, that's dangerous. The above link suggests that hash checking in pip somehow adds security to verify packages are not malicious when turned-on. This is dangerous misinformation. pip doesn't have any built-in mechanism to cryptographically verify the authenticity of packages (although they've been working on this since 2019).

The whole reason we have this awkward manual gpg check is because pip doesn't have a secure way to download software. Fortunately, twine does have PGP signing support, as documented here:

Anyway, I opened a ticket with PyPI to fix their documentation to move the hashing section outside of the Secure Install section and to add a big warning indicating to users that hashes does not provide any secure verification checks

maltfield commented 7 months ago

I opened an upstream bug about this here:

maltfield commented 7 months ago

I switched to fetching the files from GitHub, but now I have an issue with verifying the signature of the libusb1 dependency

Successfully installed Kivy-1.11.1 Kivy-Garden-0.1.4 certifi-2020.6.20 chardet-3.0.4 docutils-0.16 idna-2.10 pygments-2.6.1 requests-2.24.0 urllib3-1.25.9
++ mktemp -d
+ tmpDir=/tmp/tmp.hTMYgQLAMP
+ chown _apt:root /tmp/tmp.hTMYgQLAMP
+ chmod 0770 /tmp/tmp.hTMYgQLAMP
+ pushd /tmp/tmp.hTMYgQLAMP
/tmp/tmp.hTMYgQLAMP ~/buskill-app
+ file_url=https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl
+ signature_url=https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl.asc
+ /bin/su _apt -s /bin/bash -c 'wget "https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl"'
--2024-02-27 00:20:12--  https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/436952016/770eba9a-6d0e-489e-beb3-660efc8abc55?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240227T002015Z&X-Amz-Expires=300&X-Amz-Signature=d6d333e9827488296005b9563b5060663602719b4323be9e940fc2e4019f76de&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=436952016&response-content-disposition=attachment%3B%20filename%3Dpython_gnupg-0.5.2-py2.py3-none-any.whl&response-content-type=application%2Foctet-stream [following]
--2024-02-27 00:20:14--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/436952016/770eba9a-6d0e-489e-beb3-660efc8abc55?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240227T002015Z&X-Amz-Expires=300&X-Amz-Signature=d6d333e9827488296005b9563b5060663602719b4323be9e940fc2e4019f76de&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=436952016&response-content-disposition=attachment%3B%20filename%3Dpython_gnupg-0.5.2-py2.py3-none-any.whl&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20964 (20K) [application/octet-stream]
Saving to: 'python_gnupg-0.5.2-py2.py3-none-any.whl'

     0K .......... ..........                                 100% 2.51M=0.008s

2024-02-27 00:20:17 (2.51 MB/s) - 'python_gnupg-0.5.2-py2.py3-none-any.whl' saved [20964/20964]

++ ls -1
++ head -n1
+ filename=python_gnupg-0.5.2-py2.py3-none-any.whl
+ /bin/su _apt -s /bin/bash -c 'wget "https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl.asc"'
--2024-02-27 00:20:17--  https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl.asc
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/436952016/d1d4da38-0a74-42b8-aa0f-120f13479a30?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240227T002020Z&X-Amz-Expires=300&X-Amz-Signature=6b0dbdfe514fea43d2a4db573cf3ba5b44c16abcf510ed005368e91f22427422&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=436952016&response-content-disposition=attachment%3B%20filename%3Dpython_gnupg-0.5.2-py2.py3-none-any.whl.asc&response-content-type=application%2Foctet-stream [following]
--2024-02-27 00:20:20--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/436952016/d1d4da38-0a74-42b8-aa0f-120f13479a30?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240227T002020Z&X-Amz-Expires=300&X-Amz-Signature=6b0dbdfe514fea43d2a4db573cf3ba5b44c16abcf510ed005368e91f22427422&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=436952016&response-content-disposition=attachment%3B%20filename%3Dpython_gnupg-0.5.2-py2.py3-none-any.whl.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 801 [application/octet-stream]
Saving to: 'python_gnupg-0.5.2-py2.py3-none-any.whl.asc'

     0K                                                       100% 38.5M=0s

2024-02-27 00:20:22 (38.5 MB/s) - 'python_gnupg-0.5.2-py2.py3-none-any.whl.asc' saved [801/801]

+ mkdir gnupg
+ chmod 0700 gnupg
+ popd
+ gpg --homedir /tmp/tmp.hTMYgQLAMP/gnupg --import build/deps/python-gnupg.asc
~/buskill-app
gpg: keybox '/tmp/tmp.hTMYgQLAMP/gnupg/pubring.kbx' created
gpg: /tmp/tmp.hTMYgQLAMP/gnupg/trustdb.gpg: trustdb created
gpg: key 9147B477339A9B86: public key "Vinay Sajip (CODE SIGNING KEY) <vinay_sajip@yahoo.co.uk>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ gpgv --homedir /tmp/tmp.hTMYgQLAMP/gnupg --keyring /tmp/tmp.hTMYgQLAMP/gnupg/pubring.kbx /tmp/tmp.hTMYgQLAMP/python_gnupg-0.5.2-py2.py3-none-any.whl.asc /tmp/tmp.hTMYgQLAMP/python_gnupg-0.5.2-py2.py3-none-any.whl
gpgv: Signature made Tue Dec 12 08:14:22 2023 UTC
gpgv:                using RSA key 9147B477339A9B86
gpgv: Good signature from "Vinay Sajip (CODE SIGNING KEY) <vinay_sajip@yahoo.co.uk>"
+ [[ 0 -ne 0 ]]
+ /tmp/kivy_appdir/AppRun -m pip install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:////tmp/tmp.hTMYgQLAMP /tmp/tmp.hTMYgQLAMP/python_gnupg-0.5.2-py2.py3-none-any.whl
WARNING: The directory '/root/buskill-app/build/deps' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Looking in links: file://tmp/tmp.hTMYgQLAMP
Processing /tmp/tmp.hTMYgQLAMP/python_gnupg-0.5.2-py2.py3-none-any.whl
Installing collected packages: python-gnupg
Successfully installed python-gnupg-0.5.2
+ rm -rf /tmp/tmp.hTMYgQLAMP
++ mktemp -d
+ tmpDir=/tmp/tmp.TMbcMBjmCN
+ chown _apt:root /tmp/tmp.TMbcMBjmCN
+ chmod 0770 /tmp/tmp.TMbcMBjmCN
/tmp/tmp.TMbcMBjmCN ~/buskill-app
+ pushd /tmp/tmp.TMbcMBjmCN
+ /bin/su _apt -s /bin/bash -c '/tmp/kivy_appdir/AppRun -m pip download libusb1'
WARNING: The directory '/nonexistent/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting libusb1
  Downloading libusb1-3.1.0-py3-none-any.whl (62 kB)
  Saved ./libusb1-3.1.0-py3-none-any.whl
Successfully downloaded libusb1
WARNING: You are using pip version 20.1.1; however, version 24.0 is available.
You should consider upgrading via the '/tmp/kivy_appdir/opt/python3.7/bin/python3.7 -m pip install --upgrade pip' command.
++ ls -1
++ head -n1
+ filename=libusb1-3.1.0-py3-none-any.whl
++ /bin/su _apt -s /bin/bash -c 'curl -s https://pypi.org/simple/libusb1/'
++ grep -oE 'https://.*libusb1-3.1.0-py3-none-any.whl#'
++ sed s/#/.asc/
+ signature_url=https://files.pythonhosted.org/packages/85/5c/9169aea7690df382b677d9f725accc3ec864849c5ab49991e3823a942392/libusb1-3.1.0-py3-none-any.whl.asc
+ /bin/su _apt -s /bin/bash -c 'wget "https://files.pythonhosted.org/packages/85/5c/9169aea7690df382b677d9f725accc3ec864849c5ab49991e3823a942392/libusb1-3.1.0-py3-none-any.whl.asc"'
--2024-02-27 00:20:34--  https://files.pythonhosted.org/packages/85/5c/9169aea7690df382b677d9f725accc3ec864849c5ab49991e3823a942392/libusb1-3.1.0-py3-none-any.whl.asc
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.164.223, 2a04:4e42:27::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.164.223|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-02-27 00:20:36 ERROR 404: Not Found.

+ mkdir gnupg
+ chmod 0700 gnupg
~/buskill-app
+ popd
+ gpg --homedir /tmp/tmp.TMbcMBjmCN/gnupg --import build/deps/libusb1.asc
gpg: keybox '/tmp/tmp.TMbcMBjmCN/gnupg/pubring.kbx' created
gpg: /tmp/tmp.TMbcMBjmCN/gnupg/trustdb.gpg: trustdb created
gpg: key CAC936914257B0C1: public key "Vincent Pelletier <vincent.plr@wanadoo.fr>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ gpgv --homedir /tmp/tmp.TMbcMBjmCN/gnupg --keyring /tmp/tmp.TMbcMBjmCN/gnupg/pubring.kbx /tmp/tmp.TMbcMBjmCN/libusb1-3.1.0-py3-none-any.whl.asc /tmp/tmp.TMbcMBjmCN/libusb1-3.1.0-py3-none-any.whl
gpgv: can't open '/tmp/tmp.TMbcMBjmCN/libusb1-3.1.0-py3-none-any.whl.asc': No such file or directory
gpgv: verify signatures failed: No such file or directory
ERROR: Invalid PGP signature!
+ [[ 2 -ne 0 ]]
+ echo 'ERROR: Invalid PGP signature!'
+ exit 1
+ chown -R user dist
+ exit 0
+ exit 0
user@buskill:~/sandbox/buskill-app$
maltfield commented 7 months ago

I opened an upstream bug about this here:

maltfield commented 7 months ago

Per the above ticket, the python-libusb1 project is now uploading their releases (including their release signatures) as GitHub releases, which should enable us to fix this bug by switching from downloading from PyPI to GitHub.

maltfield commented 7 months ago

I've replaced the download URL for the signed python deps from PyPI to GitHub in all three platform's build scripts, but it looks like MacOS is still having some distinct issues finding the path to pip after upgrade

2024-03-07T23:52:10.4864930Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/pip-20.1.1-py2.py3-none-any.whl
2024-03-07T23:52:10.9370650Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-03-07T23:52:10.9683600Z Processing ./build/deps/pip-20.1.1-py2.py3-none-any.whl
2024-03-07T23:52:11.0374420Z Installing collected packages: pip
2024-03-07T23:52:12.3176550Z Successfully installed pip-23.3.1
2024-03-07T23:52:12.4074210Z ++ sort -n
2024-03-07T23:52:12.4102550Z ++ uniq
2024-03-07T23:52:12.4104960Z ++ find /usr/local/Cellar/python -type f -wholename '*bin/pip3*'
2024-03-07T23:52:12.4107930Z ++ head -n1
2024-03-07T23:52:12.4108430Z find: /usr/local/Cellar/python: No such file or directory
2024-03-07T23:52:12.4115640Z + PIP_PATH=
2024-03-07T23:52:12.4125740Z ++ pwd
2024-03-07T23:52:12.4131170Z + install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/setuptools-49.1.0-py3-none-any.whl
2024-03-07T23:52:12.4196800Z install: illegal option -- -
maltfield commented 7 months ago

I'm also struggling with the PowerShell on Windows.

For some reason I can't get the subcommand to work on this curl call. But if I take the same output from the subcommand and paste it into the curl command manually, it works fine

PS C:\> curl -OutFile "$(Split-Path -Leaf ${file_url})" "${file_url}"
Invoke-WebRequest : Illegal characters in path.
At line:1 char:1
+ Invoke-WebRequest -OutFile "$(Split-Path -Leaf ${file_url})" "${file_ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

PS C:\>

PS C:\> Split-Path -Leaf "${file_url}"
python_gnupg-0.5.2-py2.py3-none-any.whl

PS C:\> curl -OutFile "python_gnupg-0.5.2-py2.py3-none-any.whl" "${file_url}"
PS C:\>

I've asked about this on SE here:

maltfield commented 7 months ago

Update: issue with the windows builds in previous comment was a trailing newline. I fixed it by saving the output of Split-Path to a variable and using trim() on that variable.

maltfield commented 7 months ago

Windows builds are fixed!

I fixed the issue with the MacOS builds not being able to find PIP_PATH by adding a wildcard glob at the end of /usr/local/Cellar/python*

But, unfortunately, lots of other pip depends are now failing to install

024-03-08T03:55:28.9972210Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/setuptools-49.1.0-py3-none-any.whl
2024-03-08T03:55:29.1427280Z Traceback (most recent call last):
2024-03-08T03:55:29.1428920Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3", line 5, in <module>
2024-03-08T03:55:29.1430120Z     from pip._internal.cli.main import main
2024-03-08T03:55:29.1431310Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 10, in <module>
2024-03-08T03:55:29.1432440Z     from pip._internal.cli.autocompletion import autocomplete
2024-03-08T03:55:29.1433710Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/autocompletion.py", line 9, in <module>
2024-03-08T03:55:29.1435590Z     from pip._internal.cli.main_parser import create_main_parser
2024-03-08T03:55:29.1436890Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main_parser.py", line 7, in <module>
2024-03-08T03:55:29.1437960Z     from pip._internal.cli import cmdoptions
2024-03-08T03:55:29.1440800Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/cmdoptions.py", line 24, in <module>
2024-03-08T03:55:29.1441970Z     from pip._internal.cli.progress_bars import BAR_TYPES
2024-03-08T03:55:29.1443210Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/progress_bars.py", line 12, in <module>
2024-03-08T03:55:29.1444370Z     from pip._internal.utils.logging import get_indentation
2024-03-08T03:55:29.1445570Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/logging.py", line 18, in <module>
2024-03-08T03:55:29.1446660Z     from pip._internal.utils.misc import ensure_dir
2024-03-08T03:55:29.1447770Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 31, in <module>
2024-03-08T03:55:29.1448780Z     from pip._internal.locations import (
2024-03-08T03:55:29.1450340Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/locations/__init__.py", line 9, in <module>
2024-03-08T03:55:29.1451550Z     from pip._internal.models.scheme import SCHEME_KEYS, Scheme
2024-03-08T03:55:29.1453230Z ImportError: cannot import name 'SCHEME_KEYS' from 'pip._internal.models.scheme' (/usr/local/lib/python3.11/site-packages/pip/_internal/models/scheme.py)
2024-03-08T03:55:29.1600870Z ++ pwd
2024-03-08T03:55:29.1606060Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/wheel-0.34.2-py2.py3-none-any.whl
2024-03-08T03:55:29.3006910Z Traceback (most recent call last):
2024-03-08T03:55:29.3008080Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3", line 5, in <module>
2024-03-08T03:55:29.3009800Z     from pip._internal.cli.main import main
2024-03-08T03:55:29.3011050Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 10, in <module>
2024-03-08T03:55:29.3012170Z     from pip._internal.cli.autocompletion import autocomplete
2024-03-08T03:55:29.3013460Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/autocompletion.py", line 9, in <module>
2024-03-08T03:55:29.3014680Z     from pip._internal.cli.main_parser import create_main_parser
2024-03-08T03:55:29.3015940Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main_parser.py", line 7, in <module>
2024-03-08T03:55:29.3017000Z     from pip._internal.cli import cmdoptions
2024-03-08T03:55:29.3018120Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/cmdoptions.py", line 24, in <module>
2024-03-08T03:55:29.3019260Z     from pip._internal.cli.progress_bars import BAR_TYPES
2024-03-08T03:55:29.3020490Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/progress_bars.py", line 12, in <module>
2024-03-08T03:55:29.3021660Z     from pip._internal.utils.logging import get_indentation
2024-03-08T03:55:29.3022870Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/logging.py", line 18, in <module>
2024-03-08T03:55:29.3023960Z     from pip._internal.utils.misc import ensure_dir
2024-03-08T03:55:29.3025080Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 31, in <module>
2024-03-08T03:55:29.3026090Z     from pip._internal.locations import (
2024-03-08T03:55:29.3027210Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/locations/__init__.py", line 9, in <module>
2024-03-08T03:55:29.3028410Z     from pip._internal.models.scheme import SCHEME_KEYS, Scheme
2024-03-08T03:55:29.3030100Z ImportError: cannot import name 'SCHEME_KEYS' from 'pip._internal.models.scheme' (/usr/local/lib/python3.11/site-packages/pip/_internal/models/scheme.py)
2024-03-08T03:55:29.3181420Z ++ pwd
2024-03-08T03:55:29.3186770Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl
2024-03-08T03:55:29.4661550Z Traceback (most recent call last):
2024-03-08T03:55:29.4662880Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3", line 5, in <module>
2024-03-08T03:55:29.4664470Z     from pip._internal.cli.main import main
2024-03-08T03:55:29.4666110Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 10, in <module>
2024-03-08T03:55:29.4667650Z     from pip._internal.cli.autocompletion import autocomplete
2024-03-08T03:55:29.4669180Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/autocompletion.py", line 9, in <module>
2024-03-08T03:55:29.4670560Z     from pip._internal.cli.main_parser import create_main_parser
2024-03-08T03:55:29.4672620Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main_parser.py", line 7, in <module>
2024-03-08T03:55:29.4673790Z     from pip._internal.cli import cmdoptions
2024-03-08T03:55:29.4675030Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/cmdoptions.py", line 24, in <module>
2024-03-08T03:55:29.4676280Z     from pip._internal.cli.progress_bars import BAR_TYPES
2024-03-08T03:55:29.4677640Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/progress_bars.py", line 12, in <module>
2024-03-08T03:55:29.4678930Z     from pip._internal.utils.logging import get_indentation
2024-03-08T03:55:29.4680260Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/logging.py", line 18, in <module>
2024-03-08T03:55:29.4681440Z     from pip._internal.utils.misc import ensure_dir
2024-03-08T03:55:29.4683080Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 31, in <module>
2024-03-08T03:55:29.4684220Z     from pip._internal.locations import (
2024-03-08T03:55:29.4685470Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/locations/__init__.py", line 9, in <module>
2024-03-08T03:55:29.4692810Z     from pip._internal.models.scheme import SCHEME_KEYS, Scheme
2024-03-08T03:55:29.4696270Z ImportError: cannot import name 'SCHEME_KEYS' from 'pip._internal.models.scheme' (/usr/local/lib/python3.11/site-packages/pip/_internal/models/scheme.py)
2024-03-08T03:55:29.4870360Z ++ pwd
2024-03-08T03:55:29.4875950Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/pyinstaller-4.7.tar.gz
2024-03-08T03:55:29.6303010Z Traceback (most recent call last):
2024-03-08T03:55:29.6304690Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3", line 5, in <module>
2024-03-08T03:55:29.6306170Z     from pip._internal.cli.main import main
2024-03-08T03:55:29.6307450Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 10, in <module>
2024-03-08T03:55:29.6308590Z     from pip._internal.cli.autocompletion import autocomplete
2024-03-08T03:55:29.6309860Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/autocompletion.py", line 9, in <module>
2024-03-08T03:55:29.6311100Z     from pip._internal.cli.main_parser import create_main_parser
2024-03-08T03:55:29.6312360Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main_parser.py", line 7, in <module>
2024-03-08T03:55:29.6313420Z     from pip._internal.cli import cmdoptions
2024-03-08T03:55:29.6314540Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/cmdoptions.py", line 24, in <module>
2024-03-08T03:55:29.6315670Z     from pip._internal.cli.progress_bars import BAR_TYPES
2024-03-08T03:55:29.6316910Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/progress_bars.py", line 12, in <module>
2024-03-08T03:55:29.6318100Z     from pip._internal.utils.logging import get_indentation
2024-03-08T03:55:29.6319310Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/logging.py", line 18, in <module>
2024-03-08T03:55:29.6320390Z     from pip._internal.utils.misc import ensure_dir
2024-03-08T03:55:29.6321530Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 31, in <module>
2024-03-08T03:55:29.6322550Z     from pip._internal.locations import (
2024-03-08T03:55:29.6323670Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/locations/__init__.py", line 9, in <module>
2024-03-08T03:55:29.6324870Z     from pip._internal.models.scheme import SCHEME_KEYS, Scheme
2024-03-08T03:55:29.6326580Z ImportError: cannot import name 'SCHEME_KEYS' from 'pip._internal.models.scheme' (/usr/local/lib/python3.11/site-packages/pip/_internal/models/scheme.py)

It even fails at the end (in the "print debugging info" section) when trying to get the pip version

2024-03-08T03:56:03.3518480Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 --version
2024-03-08T03:56:03.4926870Z Traceback (most recent call last):
2024-03-08T03:56:03.4928060Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3", line 5, in <module>
2024-03-08T03:56:03.4929260Z     from pip._internal.cli.main import main
2024-03-08T03:56:03.4930470Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 10, in <module>
2024-03-08T03:56:03.4931590Z     from pip._internal.cli.autocompletion import autocomplete
2024-03-08T03:56:03.4932870Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/autocompletion.py", line 9, in <module>
2024-03-08T03:56:03.4934100Z     from pip._internal.cli.main_parser import create_main_parser
2024-03-08T03:56:03.4935370Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main_parser.py", line 7, in <module>
2024-03-08T03:56:03.4936440Z     from pip._internal.cli import cmdoptions
2024-03-08T03:56:03.4937540Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/cmdoptions.py", line 24, in <module>
2024-03-08T03:56:03.4938680Z     from pip._internal.cli.progress_bars import BAR_TYPES
2024-03-08T03:56:03.4939910Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/progress_bars.py", line 12, in <module>
2024-03-08T03:56:03.4941420Z     from pip._internal.utils.logging import get_indentation
2024-03-08T03:56:03.4942610Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/logging.py", line 18, in <module>
2024-03-08T03:56:03.4944060Z     from pip._internal.utils.misc import ensure_dir
2024-03-08T03:56:03.4946270Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 31, in <module>
2024-03-08T03:56:03.4947290Z     from pip._internal.locations import (
2024-03-08T03:56:03.4948410Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/locations/__init__.py", line 9, in <module>
2024-03-08T03:56:03.4949620Z     from pip._internal.models.scheme import SCHEME_KEYS, Scheme
2024-03-08T03:56:03.4951360Z ImportError: cannot import name 'SCHEME_KEYS' from 'pip._internal.models.scheme' (/usr/local/lib/python3.11/site-packages/pip/_internal/models/scheme.py)
2024-03-08T03:56:03.5091190Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/python3.11 -m pip list
2024-03-08T03:56:03.6462720Z Traceback (most recent call last):
2024-03-08T03:56:03.6463950Z   File "<frozen runpy>", line 198, in _run_module_as_main
2024-03-08T03:56:03.6465360Z   File "<frozen runpy>", line 88, in _run_code
2024-03-08T03:56:03.6467210Z   File "/usr/local/lib/python3.11/site-packages/pip/__main__.py", line 23, in <module>
2024-03-08T03:56:03.6468780Z     from pip._internal.cli.main import main as _main  # isort:skip # noqa
2024-03-08T03:56:03.6469580Z     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-08T03:56:03.6470680Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 10, in <module>
2024-03-08T03:56:03.6471860Z     from pip._internal.cli.autocompletion import autocomplete
2024-03-08T03:56:03.6473200Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/autocompletion.py", line 9, in <module>
2024-03-08T03:56:03.6474460Z     from pip._internal.cli.main_parser import create_main_parser
2024-03-08T03:56:03.6475780Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main_parser.py", line 7, in <module>
2024-03-08T03:56:03.6476890Z     from pip._internal.cli import cmdoptions
2024-03-08T03:56:03.6478060Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/cmdoptions.py", line 24, in <module>
2024-03-08T03:56:03.6480010Z     from pip._internal.cli.progress_bars import BAR_TYPES
2024-03-08T03:56:03.6481320Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/progress_bars.py", line 12, in <module>
2024-03-08T03:56:03.6482510Z     from pip._internal.utils.logging import get_indentation
2024-03-08T03:56:03.6483750Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/logging.py", line 18, in <module>
2024-03-08T03:56:03.6484860Z     from pip._internal.utils.misc import ensure_dir
2024-03-08T03:56:03.6486000Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 31, in <module>
2024-03-08T03:56:03.6487060Z     from pip._internal.locations import (
2024-03-08T03:56:03.6488220Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/locations/__init__.py", line 9, in <module>
2024-03-08T03:56:03.6489450Z     from pip._internal.models.scheme import SCHEME_KEYS, Scheme
2024-03-08T03:56:03.6491170Z ImportError: cannot import name 'SCHEME_KEYS' from 'pip._internal.models.scheme' (/usr/local/lib/python3.11/site-packages/pip/_internal/models/scheme.py)
2024-03-08T03:56:03.6643590Z + which pip3
2024-03-08T03:56:03.6661270Z /usr/local/bin/pip3
2024-03-08T03:56:03.6662710Z + pip3 list
2024-03-08T03:56:03.8124880Z Traceback (most recent call last):
2024-03-08T03:56:03.8125740Z   File "/usr/local/bin/pip3", line 5, in <module>
2024-03-08T03:56:03.8133380Z     from pip._internal.cli.main import main
2024-03-08T03:56:03.8134880Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 10, in <module>
2024-03-08T03:56:03.8136070Z     from pip._internal.cli.autocompletion import autocomplete
2024-03-08T03:56:03.8137410Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/autocompletion.py", line 9, in <module>
2024-03-08T03:56:03.8138680Z     from pip._internal.cli.main_parser import create_main_parser
2024-03-08T03:56:03.8139990Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/main_parser.py", line 7, in <module>
2024-03-08T03:56:03.8141120Z     from pip._internal.cli import cmdoptions
2024-03-08T03:56:03.8142310Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/cmdoptions.py", line 24, in <module>
2024-03-08T03:56:03.8143620Z     from pip._internal.cli.progress_bars import BAR_TYPES
2024-03-08T03:56:03.8144850Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/progress_bars.py", line 12, in <module>
2024-03-08T03:56:03.8146020Z     from pip._internal.utils.logging import get_indentation
2024-03-08T03:56:03.8147220Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/logging.py", line 18, in <module>
2024-03-08T03:56:03.8148300Z     from pip._internal.utils.misc import ensure_dir
2024-03-08T03:56:03.8149420Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 31, in <module>
2024-03-08T03:56:03.8150430Z     from pip._internal.locations import (
2024-03-08T03:56:03.8151550Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/locations/__init__.py", line 9, in <module>
2024-03-08T03:56:03.8153130Z     from pip._internal.models.scheme import SCHEME_KEYS, Scheme
2024-03-08T03:56:03.8154800Z ImportError: cannot import name 'SCHEME_KEYS' from 'pip._internal.models.scheme' (/usr/local/lib/python3.11/site-packages/pip/_internal/models/scheme.py)
maltfield commented 7 months ago

Looks like I had this issue before, and it was fixed by making sure we used the right python/pip version

maltfield commented 7 months ago

Google seems to suggest that these SCHEME_KEYS errors mean I need to upgrade pip. And, of course, there's no secure way to do that. Let's 3TOFU again because the fucking pip maintainers don't give a shit about secure supply chain security.

Currently we install pip-20.1.1-py2.py3-none-any.whl

${PIP_PATH} install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file://`pwd`/build/deps/ build/deps/pip-20.1.1-py2.py3-none-any.whl

Looks like the latest version is 24.0:

maltfield commented 7 months ago

TOFU 1/3 (VPN, exit in Hong Kong) gives sha256sum = ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc

user@disp3820:~$ REMOTE_FILES="https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl"

CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
        CURL="/usr/bin/torify ${CURL}"
        WGET="/usr/bin/torify ${WGET}"
        PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
gpg --with-fingerprint --keyid-format 0xlong *
bash: user: command not found
/tmp/tmp.G5nLcLkzB7 ~
Hong Kong
2024-03-08
--2024-03-07 23:25:53--  https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.76.223, 2a04:4e42:12::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.76.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2110226 (2.0M) [binary/octet-stream]
Saving to: ‘pip-24.0-py3-none-any.whl’

pip-24.0-py3-none-a 100%[===================>]   2.01M  41.6KB/s    in 24s     

2024-03-07 23:26:20 (85.5 KB/s) - ‘pip-24.0-py3-none-any.whl’ saved [2110226/2110226]

Fri 08 Mar 2024 04:26:20 AM UTC
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
...
user@disp3820:/tmp/tmp.G5nLcLkzB7$
maltfield commented 7 months ago

TOFU 2/3 (Tor, exit in Poland) gives sha256sum = ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc

user@host:~$ REMOTE_FILES="https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl" 

CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
        CURL="/usr/bin/torify ${CURL}"
        WGET="/usr/bin/torify ${WGET}"
        PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
gpg --with-fingerprint --keyid-format 0xlong *
bash: user: command not found
/tmp/tmp.B9EwgGn7if ~
<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131}button,html{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}@media (prefers-color-scheme:dark){body{background-color:#222;color:#d9d9d9}body a{color:#fff}body a:hover{color:#ee730a;text-decoration:underline}body .lds-ring div{border-color:#999 transparent transparent}body .font-red{color:#b20f03}body .big-button,body .pow-button{background-color:#4693ff;color:#1d1d1d}body #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body #challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}}body{display:flex;flex-direction:column;min-height:100vh}body.no-js .loading-spinner{visibility:hidden}body.no-js .challenge-running{display:none}body.dark{background-color:#222;color:#d9d9d9}body.dark a{color:#fff}body.dark a:hover{color:#ee730a;text-decoration:underline}body.dark .lds-ring div{border-color:#999 transparent transparent}body.dark .font-red{color:#b20f03}body.dark .big-button,body.dark .pow-button{background-color:#4693ff;color:#1d1d1d}body.dark #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body.dark #challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}body.light{background-color:transparent;color:#313131}body.light a{color:#0051c3}body.light a:hover{color:#ee730a;text-decoration:underline}body.light .lds-ring div{border-color:#595959 transparent transparent}body.light .font-red{color:#fc574a}body.light .big-button,body.light .pow-button{background-color:#003681;border-color:#003681;color:#fff}body.light #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body.light #challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI2ZjNTc0YSIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjZmM1NzRhIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}a{background-color:transparent;color:#0051c3;text-decoration:none;transition:color .15s ease}a:hover{color:#ee730a;text-decoration:underline}.main-content{margin:8rem auto;max-width:60rem;width:100%}.heading-favicon{height:2rem;margin-right:.5rem;width:2rem}@media (width <= 720px){.main-content{margin-top:4rem}.heading-favicon{height:1.5rem;width:1.5rem}}.footer,.main-content{padding-left:1.5rem;padding-right:1.5rem}.main-wrapper{align-items:center;display:flex;flex:1;flex-direction:column}.font-red{color:#b20f03}.spacer{margin:2rem 0}.h1{font-size:2.5rem;font-weight:500;line-height:3.75rem}.h2{font-weight:500}.core-msg,.h2{font-size:1.5rem;line-height:2.25rem}.body-text,.core-msg{font-weight:400}.body-text{font-size:1rem;line-height:1.25rem}@media (width <= 720px){.h1{font-size:1.5rem;line-height:1.75rem}.h2{font-size:1.25rem}.core-msg,.h2{line-height:1.5rem}.core-msg{font-size:1rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI2ZjNTc0YSIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjZmM1NzRhIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+);padding-left:34px}#challenge-error-text,#challenge-success-text{background-repeat:no-repeat;background-size:contain}#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=);padding-left:42px}.text-center{text-align:center}.big-button{border:.063rem solid #0051c3;border-radius:.313rem;font-size:.875rem;line-height:1.313rem;padding:.375rem 1rem;transition-duration:.2s;transition-property:background-color,border-color,color;transition-timing-function:ease}.big-button:hover{cursor:pointer}.captcha-prompt:not(.hidden){display:flex}@media (width <= 720px){.captcha-prompt:not(.hidden){flex-wrap:wrap;justify-content:center}}.pow-button{background-color:#0051c3;color:#fff;margin:2rem 0}.pow-button:hover{background-color:#003681;border-color:#003681;color:#fff}.footer{font-size:.75rem;line-height:1.125rem;margin:0 auto;max-width:60rem;width:100%}.footer-inner{border-top:1px solid #d9d9d9;padding-bottom:1rem;padding-top:1rem}.clearfix:after{clear:both;content:"";display:table}.clearfix .column{float:left;padding-right:1.5rem;width:50%}.diagnostic-wrapper{margin-bottom:.5rem}.footer .ray-id{text-align:center}.footer .ray-id code{font-family:monaco,courier,monospace}.core-msg,.zone-name-title{overflow-wrap:break-word}@media (width <= 720px){.diagnostic-wrapper{display:flex;flex-wrap:wrap;justify-content:center}.clearfix:after{clear:none;content:none;display:initial;text-align:center}.column{padding-bottom:2rem}.clearfix .column{float:none;padding:0;width:auto;word-break:keep-all}.zone-name-title{margin-bottom:1rem}}.loading-spinner{height:76.391px}.lds-ring{display:inline-block;position:relative}.lds-ring,.lds-ring div{height:1.875rem;width:1.875rem}.lds-ring div{animation:lds-ring 1.2s cubic-bezier(.5,0,.5,1) infinite;border:.3rem solid transparent;border-radius:50%;border-top-color:#313131;box-sizing:border-box;display:block;position:absolute}.lds-ring div:first-child{animation-delay:-.45s}.lds-ring div:nth-child(2){animation-delay:-.3s}.lds-ring div:nth-child(3){animation-delay:-.15s}@keyframes lds-ring{0%{transform:rotate(0)}to{transform:rotate(1turn)}}@media screen and (-ms-high-contrast:active),screen and (-ms-high-contrast:none){.main-wrapper,body{display:block}}</style><meta http-equiv="refresh" content="375"></head><body class="no-js"><div class="main-wrapper" role="main"><div class="main-content"><noscript><div id="challenge-error-title"><div class="h2"><span id="challenge-error-text">Enable JavaScript and cookies to continue</span></div></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "ifconfig.co",cType: 'managed',cNounce: '88448',cRay: '8614626d4c1b91fc',cHash: '74a0e7cd429f6ab',cUPMDTk: "\/country?__cf_chl_tk=YtIaq1nVHT..arhPkeS814SgOzRQTIcS6287O.RMTk4-1709917257-0.0.1.1-1471",cFPWv: 'b',cTTimeMs: '1000',cMTimeMs: '375000',cTplV: 5,cTplB: 'cf',cK: "visitor-time",fa: "\/country?__cf_chl_f_tk=YtIaq1nVHT..arhPkeS814SgOzRQTIcS6287O.RMTk4-1709917257-0.0.1.1-1471",md: "eweM2EZLa.S9TQpU3TRjwFKa7d6V_zzrCbYyu13NacI-1709917257-1.1.1.1-3nhX8taVzQnqsXxFXTv.nzakzStrFP0Cr9PlgBEJvJfOj3eyvnAvtTs26R9ZIAIvrw8G1r86H9r5aE3QuX5oQ4Zqcy6bbbx3wxRRCz_GAI0uZ4MFkiG.597lDAEUA.TSq7fK.EEAiuFynPhC6Z6oJ1Ra4N8zdEE4ie21KgimUOPQ8hUMFnkOIm.bNBHtxSuIM3oYKD2AFiRMPQGK2KjAp9QzA3hZdy9MVDTaybFkCBd3oZKBd3J6U.roItEX1yimBLyOWhQgbqcRR7ZowunJwGOSntVTn1UZRd7o.n1239roSD7kBgxA_J8D6q7gu8VoRBdZLXohdyivV4wFcntQKUXcP0DdV.SRNB2kPH30qpc1yezcxHabBylwYBTvwXOrVs6j6fn5mrP8JEllfcsjADz6li3oHaRqMLgixZzKUlDroH7vC3pn16YCcMIY_amBjK1HDHDu.yVQ6YkoezEFdkH8sDpFZNSHVijjefYTV.RnyUKWR7hLrOKXKYKpL5KEbGv_UnGRNZ_FtjRdfRNAehh1rcJtxTxYNcAWiZldNkmZF38mjc4tsuEDGH9iGW7I0pFEKRGUqEMd43KpCmZtryhHe2fz9ou9DQ74GmhLjUklZ31ODJBWNjjULZvTcx8v1CA_09sn2RFs5M.RX2B7NP9yqEHFkkFHmoep9BOizAC66XWDp4DTn8lkce4ptfNbc3BwG14xBFrd_Txa54Hk4Tf3vwmAwEWszfLWmi21KsbavC4vVP4j8UzBZgcLtajUPI_TAVofFNjBvUlpLn1nQXCP45TMzpKKsZUIfTTl8d5H7uVwKmDc67_7MtQigBdwNvSCTC.jl6x1pWX7Td54YkSoxGnsHCPQUcEj6J1bWBk1lwYGWG1q4FDuuSTW0I6X.XIjaEb35qsXJKTdm3FnOsJrvgw32LGFBLAFmQJMxnBKdqmWKk44jAZ.znh7FZ0xysyWU4V.xijmFgDHXFXCAmv3OgHx1QKxnZxmVAAOTC2_V..L1dIEvmCrV9y9uwWH.iDaZHlFvN4rF8zAywaV4DzDTizpQWpo0iJrxrjdY_8mcfvNSQWOmvr.AGYIVBkKqPirzgfGp8eXcn0NzM0L5v7wH9SVmkPxkdTouYLEkgKRkYu_P1Ox9XLcwJmEpLAN_9C2NSqT9nP42Kv3TxdoSyK_.OG_ZenB2gyo2_mraD2Id0QZ1x1sQ3tZNQwifVfWnufbJblUuYc1_.4EIV0ZbujluCVpoxSFjv7mN7v.cMYR9_OtIZE8kviaVmrVOyAxy01GXrb4Nz.cbvuIhMJXZF1pZmX88GrOIWdCDbf.FCLuuQXQs4i2Id80e_TWBsypveg9dSqdZWn2Pshk6rFgdgtL8VjgBFUADDCx5vAuGZ_xP7tp.OP_86Rd3YM6y4hs",mdrd: "T5ot9nPODhhGDF25P3aGml6AxfOOY8hHK2UPfbKbDUA-1709917257-1.1.1.1-L1ZnNusCuTsJ02jEzFcBJPcXKKKhTLXD2QIgysr0xjKswFRPcaxGeZAZZO8Q47tlFy3t0_lg8O0JeYdG__gc_bscmJgXbcIYvsKwZ4Sumwp3t.FQ7XBZdZgmuQYO.V6teSsPeWnTEPjIUWyEvPFgpOIlE1RuSIk3y9RSoe_FSf3.7waRTEEMAySjbxlYFRJ24PEDiTgFLJb5OUgv1hw7zbxuCC2oI8UuE20yWwn28k7KbneFt7Rkh_VtsRWQYOu1fJ620dNt8sgLKMHh0bhbIGOUTbz7YzQjOXnB91NO.9W1b1ZhTZQetBUcsIGSds8WZAYTMQVF8sSsvUdTnEOClWhE3_j4RoKNm1Rn1dKAYnzN6uxOh6aJH_U3WKj__575pxM3SE.oHAGwm5x.YY47BLUj.7G1_Uw7yRxMvxIx_p9g1jwEMshvZEpXNKsQmZZ_H9cC3USiBBZ2osLDP46pQi7gSdHOqn.EzIkc0_bqB_UOHwZAMKqSoNA4sk3imVCWvfXbUP5P.HKRFY6T4K_ZqPMtfJC8_jrOrFtCUYQq2TRuiwltCVWOiOUKFcOFBYeKqOkNPq3Jl1oeVux4zJ1fIb.mxwcioH9K2uueg5fessPUkdNBuDzK5PsNrpDLAT8xk9i2dPsM36IW9amdfROe9El5n7jZc13WYImHyoIj3s6KKhbjrC.xXbBwkCXLobxKniHJwAnnQ3gt3nqs.c94B.OS6FiRsXWJI8rI4_1O0yJSZfycNCyXQLYFEtsHyvmoWgN9BE57MnHxIFEmvy8ilfRXZVyFSEJoUBq1To9Mb1J34pAytIVsQ_pJibv6_bEFC0875FOoOpW1DAXoBD2ILiek7uSj99R.nM9GvkzG0LuYIKBmF63VehrJHwhibydShW1g.shKz80kUUtyvaBRge8SFm8OBBmfWdPLFzUNK.s_FStrcjTvsOjA4flRTeIXmR20O5Z7tYHaKkWGPn_7iB9A0f_9H4dRMQ5ub7i_Ig.uiIuNjJTqm7rhoVEKTb6uO_xcpi52Yf7Gjo5gIE6WMIqFAgXJQeqWTO_k86Lpcqt9hxhaYqTNJcidkhyyWoMKVhpZDCt_9_kxrF4XQIPcsRcBhhOLiDDq5BtPo00M1SDzEtaK6paxgBpxl.cZMgnGK67q9r1QtmhbUdr43off9_w4Bol9IkEV88Yco6r8kixwYxwzovRYGDBLcNJJa4KfaHjwiiTvNgQdR2ZEqoSWLmhdY0lzlUBjM3TXvhN4oQxA4g4tDZO61jozn0IBT1NOBTertKsR2qVvBXFEOQ9owgGGS7Mqa6Y7iH59Y8P.nqK0PPqXYBz99f00iy3Jf3U_yVzYSbSrwLRliw4PrOImXD_5ib19vjauazj12gxFhrrG0WMrhkK_jZ4WAL_3Ze9gnAJ2E7_BsKOqNY035zrv6bQul1HuxFDqLhL3uysaT0l6ky65MrMSKySnjHoOLtCgYi__mgiF7r7RTvBFxTqZ4HQbJeeb.56eoNU9YJqaTd6XndwaVVN.WH4z9_BrLqlV.JPdePg9T3fA2gAeNCpaCf4BYOqv1k51MzzV6c49eSBziRXI3unMHzz_apx8PdBuldgnzg_FleK7vZWCMDKeJTC75E1_T3llegmGdf_Zpr0MDv3028LOLGEyTXH0X0fgvLRmDc169E.QtLt5.TzdtLpoUXMTDOCApD69DoWeAclLRdQRsYiQxsslVXvoOXuuQYdjEY8JBhC_7zPz99yXv4wTCmHDqqt6B8qaDeQF.qVJLq3g34gFHkmyuYKXGUBB.j3ILzs5wvFYYRl..O.P8n9kfesFZZA78nYK_S90JdnoE2Ou4cLXLZHuCL7dH1c4eAGQVzW88HcwvdJTq9H0yKyYg.byXfdIkZjblXb7tmfM1ExMaKG2VUkOo55jdhYt",cRq: {ru: 'aHR0cHM6Ly9pZmNvbmZpZy5jby9jb3VudHJ5',ra: 'Y3VybC83Ljc0LjA=',rm: 'R0VU',d: '3DDgWqBx3GVP+3GLCKwVoMu+pMbTGLrgvQR5iLOSfzyhYozzsauPHdSFMIzYTy5ODSFyHp89C2JXU/y1sTBFoMezXzamuIx3uTwJO595r5NF81GF3M6dq04jOxkYhlWS6gUy1aCpfgVIHFLksUScbtE3Z2yllkgoJEl+SojtdhYBh9cU4cWlImTqG7Bb2KmEYEnLuzLfYyUb0IUPcYkhHffZ+Xxg3+IwTSylttfIU0L2cfVumdzAc0Zrz0+MxmcI3NjKfrKBTeeBPDRVJPlniUr2SSFU90u0szM1F7+DxItN9dY6bstJVQJkwnWG/r2ezOwIpP+xUiu6RTsC8upsYgA93zrojtND/3sY5AjAruRfuvOyE1KGm1ufLAnU18/tZixNdgdtpkKBJuSKFNqWO/7WFhQq5b0oMn5YUVQRlEIzLcD73AjYlZqk9SJIjl07J5aDA1jD9Dqa9gzcwPxkd/CyI6BGzbUgy/haFFOszuO9W4Ya+i3YR8NeQ86p/7tp',t: 'MTcwOTkxNzI1Ny44MDYwMDA=',cT: Math.floor(Date.now() / 1000),m: 'QAvhr7ZpyQf3eRA8LucA3Q4Th9mUEmMQe1g4irgD1o8=',i1: 'ixHNoeA/9VObKR9avRrfsw==',i2: 'HauQv12KjsSBBnPDJq7HpA==',zh: 'wfxagHEJWT3JG7Kg7GGlyGD+aeLZ/HC9BE3wDXuEzqE=',uh: 'zu+cQgicc5rF6Q8HHTJhdGCD3QVkjetpkn+QXGMpZBU=',hh: 'am/Zv95ZWAcmK4pRq/3uE/0XoTs/sjoPLUYI0lCN1aE=',}};var cpo = document.createElement('script');cpo.src = '/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8614626d4c1b91fc';window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;history.replaceState(null, null, "\/country?__cf_chl_rt_tk=YtIaq1nVHT..arhPkeS814SgOzRQTIcS6287O.RMTk4-1709917257-0.0.1.1-1471" + window._cf_chl_opt.cOgUHash);cpo.onload = function() {history.replaceState(null, null, ogU);}}document.getElementsByTagName('head')[0].appendChild(cpo);}());</script></body></html>      Congratulations. This browser is configured to use Tor.
2024-03-08
--2024-03-08 17:01:00--  https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.36.223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.36.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2110226 (2.0M) [binary/octet-stream]
Saving to: ‘pip-24.0-py3-none-any.whl’

pip-24.0-py3-none-a 100%[===================>]   2.01M   153KB/s    in 17s     

2024-03-08 17:01:19 (122 KB/s) - ‘pip-24.0-py3-none-any.whl’ saved [2110226/2110226]

Fri 08 Mar 2024 05:01:19 PM UTC
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
user@host:/tmp/tmp.B9EwgGn7if$
maltfield commented 7 months ago

TOFU 3/3 (ISP, exit in Ecuador) gives sha256sum = ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc

user@disp4805:~$ REMOTE_FILES="https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl"

CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
        CURL="/usr/bin/torify ${CURL}"
        WGET="/usr/bin/torify ${WGET}"
        PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
gpg --with-fingerprint --keyid-format 0xlong *
bash: user: command not found
/tmp/tmp.ClOrQkf9Q8 ~
Ecuador
2024-03-09
--2024-03-09 13:05:28--  https://files.pythonhosted.org/packages/8a/6a/19e9fe04fca059ccf770861c7d5721ab4c2aebc539889e97c7977528a53b/pip-24.0-py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 199.232.48.223, 2a04:4e42:49::223
Connecting to files.pythonhosted.org (files.pythonhosted.org)|199.232.48.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2110226 (2.0M) [binary/octet-stream]
Saving to: ‘pip-24.0-py3-none-any.whl’

pip-24.0-py3-none-any.whl     100%[===============================================>]   2.01M   921KB/s    in 2.2s    

2024-03-09 13:05:30 (921 KB/s) - ‘pip-24.0-py3-none-any.whl’ saved [2110226/2110226]

Sat 09 Mar 2024 06:05:30 PM UTC
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
user@disp4805:/tmp/tmp.ClOrQkf9Q8$
maltfield commented 7 months ago

Ok, 3/3 TOFU on 3 distinct days matches; adding to the repo

Sat 09 Mar 2024 06:05:30 PM UTC
Fri 08 Mar 2024 04:26:20 AM UTC
Fri 08 Mar 2024 05:01:19 PM UTC
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
maltfield commented 7 months ago

After upgrading, the linux & windows builds are still working but the MacOS builds are still failing

We fixed the issue with SCHEME_KEYS, however, this is something new.

For some reason when it installs pip-24.0 it says it Successfully installed pip-23.3.1

2024-03-10T02:06:09.6857290Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/pip-24.0-py3-none-any.whl
2024-03-10T02:06:10.2061330Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-03-10T02:06:10.2293570Z Processing ./build/deps/pip-24.0-py3-none-any.whl
2024-03-10T02:06:10.3062690Z Installing collected packages: pip
2024-03-10T02:06:12.1157720Z Successfully installed pip-23.3.1
2024-03-10T02:06:12.1848790Z ++ sort -n
2024-03-10T02:06:12.1851640Z ++ find /usr/local/Cellar/python@3.11 /usr/local/Cellar/python@3.12 -type f -wholename '*bin/pip3*'
2024-03-10T02:06:12.1857130Z ++ uniq
2024-03-10T02:06:12.1869520Z ++ head -n1
2024-03-10T02:06:12.2749580Z + PIP_PATH=/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip
maltfield commented 7 months ago

The first noticeable error appears to be when it tries to install PyInstaller

2024-03-10T02:06:14.5875850Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/pyinstaller-4.7.tar.gz
2024-03-10T02:06:15.0305170Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-03-10T02:06:15.0492760Z Processing ./build/deps/pyinstaller-4.7.tar.gz
2024-03-10T02:06:15.2806720Z   Installing build dependencies: started
2024-03-10T02:06:16.4391520Z   Installing build dependencies: finished with status 'done'
2024-03-10T02:06:16.4442830Z   Getting requirements to build wheel: started
2024-03-10T02:06:16.6307710Z   Getting requirements to build wheel: finished with status 'done'
2024-03-10T02:06:16.6362190Z ERROR: Exception:
2024-03-10T02:06:16.6362790Z Traceback (most recent call last):
2024-03-10T02:06:16.6365210Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/base_command.py", line 180, in exc_logging_wrapper
2024-03-10T02:06:16.6366370Z     status = run_func(*args)
2024-03-10T02:06:16.6366790Z              ^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6367790Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/cli/req_command.py", line 245, in wrapper
2024-03-10T02:06:16.6368820Z     return func(self, options, args)
2024-03-10T02:06:16.6369290Z            ^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6370290Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/commands/install.py", line 377, in run
2024-03-10T02:06:16.6371310Z     requirement_set = resolver.resolve(
2024-03-10T02:06:16.6371800Z                       ^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6372990Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 76, in resolve
2024-03-10T02:06:16.6374650Z     collected = self.factory.collect_root_requirements(root_reqs)
2024-03-10T02:06:16.6375630Z                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6377070Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/factory.py", line 534, in collect_root_requirements
2024-03-10T02:06:16.6378340Z     reqs = list(
2024-03-10T02:06:16.6378660Z            ^^^^^
2024-03-10T02:06:16.6380310Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/factory.py", line 490, in _make_requirements_from_install_req
2024-03-10T02:06:16.6382590Z     cand = self._make_base_candidate_from_link(
2024-03-10T02:06:16.6383170Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6385020Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/factory.py", line 228, in _make_base_candidate_from_link
2024-03-10T02:06:16.6387170Z     self._link_candidate_cache[link] = LinkCandidate(
2024-03-10T02:06:16.6388130Z                                        ^^^^^^^^^^^^^^
2024-03-10T02:06:16.6389540Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 290, in __init__
2024-03-10T02:06:16.6390700Z     super().__init__(
2024-03-10T02:06:16.6391810Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 156, in __init__
2024-03-10T02:06:16.6393290Z     self.dist = self._prepare()
2024-03-10T02:06:16.6393750Z                 ^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6394970Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 222, in _prepare
2024-03-10T02:06:16.6396700Z     dist = self._prepare_distribution()
2024-03-10T02:06:16.6397220Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6398970Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/candidates.py", line 301, in _prepare_distribution
2024-03-10T02:06:16.6401620Z     return preparer.prepare_linked_requirement(self._ireq, parallel_builds=True)
2024-03-10T02:06:16.6402990Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6404330Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/operations/prepare.py", line 525, in prepare_linked_requirement
2024-03-10T02:06:16.6406160Z     return self._prepare_linked_requirement(req, parallel_builds)
2024-03-10T02:06:16.6406860Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6408500Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/operations/prepare.py", line 640, in _prepare_linked_requirement
2024-03-10T02:06:16.6409950Z     dist = _get_prepared_distribution(
2024-03-10T02:06:16.6410460Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6412190Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/operations/prepare.py", line 71, in _get_prepared_distribution
2024-03-10T02:06:16.6414140Z     abstract_dist.prepare_distribution_metadata(
2024-03-10T02:06:16.6416700Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/distributions/sdist.py", line 54, in prepare_distribution_metadata
2024-03-10T02:06:16.6417960Z     self._install_build_reqs(finder)
2024-03-10T02:06:16.6419180Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/distributions/sdist.py", line 124, in _install_build_reqs
2024-03-10T02:06:16.6420380Z     build_reqs = self._get_build_requires_wheel()
2024-03-10T02:06:16.6420940Z                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6422210Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/distributions/sdist.py", line 101, in _get_build_requires_wheel
2024-03-10T02:06:16.6423770Z     return backend.get_requires_for_build_wheel()
2024-03-10T02:06:16.6424550Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6425840Z   File "/usr/local/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 745, in get_requires_for_build_wheel
2024-03-10T02:06:16.6427260Z     return super().get_requires_for_build_wheel(config_settings=cs)
2024-03-10T02:06:16.6428080Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6429860Z   File "/usr/local/lib/python3.11/site-packages/pip/_vendor/pyproject_hooks/_impl.py", line 166, in get_requires_for_build_wheel
2024-03-10T02:06:16.6431450Z     return self._call_hook('get_requires_for_build_wheel', {
2024-03-10T02:06:16.6432110Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6433270Z   File "/usr/local/lib/python3.11/site-packages/pip/_vendor/pyproject_hooks/_impl.py", line 321, in _call_hook
2024-03-10T02:06:16.6434500Z     raise BackendUnavailable(data.get('traceback', ''))
2024-03-10T02:06:16.6435490Z pip._vendor.pyproject_hooks._impl.BackendUnavailable: Traceback (most recent call last):
2024-03-10T02:06:16.6437210Z   File "/usr/local/lib/python3.11/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 77, in _build_backend
2024-03-10T02:06:16.6438700Z     obj = import_module(mod_path)
2024-03-10T02:06:16.6439190Z           ^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6441290Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/importlib/__init__.py", line 126, in import_module
2024-03-10T02:06:16.6442960Z     return _bootstrap._gcd_import(name[level:], package, level)
2024-03-10T02:06:16.6444020Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2024-03-10T02:06:16.6444920Z   File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
2024-03-10T02:06:16.6445790Z   File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
2024-03-10T02:06:16.6446740Z   File "<frozen importlib._bootstrap>", line 1126, in _find_and_load_unlocked
2024-03-10T02:06:16.6447760Z   File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
2024-03-10T02:06:16.6448700Z   File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
2024-03-10T02:06:16.6449570Z   File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
2024-03-10T02:06:16.6450530Z   File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked
2024-03-10T02:06:16.6451680Z   File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
2024-03-10T02:06:16.6453010Z   File "<frozen importlib._bootstrap_external>", line 940, in exec_module
2024-03-10T02:06:16.6454400Z   File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
2024-03-10T02:06:16.6456730Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/setuptools/__init__.py", line 23, in <module>
2024-03-10T02:06:16.6458450Z     from setuptools.dist import Distribution
2024-03-10T02:06:16.6460150Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/setuptools/dist.py", line 36, in <module>
2024-03-10T02:06:16.6461730Z     from setuptools.config import parse_configuration
2024-03-10T02:06:16.6467840Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/setuptools/config/__init__.py", line 8, in <module>
2024-03-10T02:06:16.6470410Z     from . import setupcfg
2024-03-10T02:06:16.6472670Z   File "/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/setuptools/config/setupcfg.py", line 32, in <module>
2024-03-10T02:06:16.6474750Z     from ..errors import FileError, OptionError
2024-03-10T02:06:16.6476760Z ImportError: cannot import name 'FileError' from 'setuptools.errors' (/usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/setuptools/errors.py)
maltfield commented 7 months ago

There's also issues installing Kivy. I think I should just go-through and update all the python packages to their latest versions.

2024-03-10T02:06:14.0117250Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl
2024-03-10T02:06:14.4974820Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-03-10T02:06:14.5164950Z ERROR: Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl is not a supported wheel on this platform.
maltfield commented 7 months ago

While I'm at it, I'll update python to Python v3.12.

Python is already securely installed in our linux CI runner, so no manual updates needed there.

Python comes installed on our MacOS CI runner. Possibly not secure, but we're relying on shared GitHub runners for MacOS builds. Anyway, no manual updates needed.

We do have to install Python on our Windows CI runners, and manually update our installer in this repo. Fortunately, it looks like Python does sign their windows releases with PGP, but I don't have the key in my keyring.

user@disp5109:~/Downloads$ wget https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe
--2024-03-09 23:54:26--  https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe
Resolving www.python.org (www.python.org)... 146.75.0.223, 2a04:4e42:70::223
Connecting to www.python.org (www.python.org)|146.75.0.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26667456 (25M) [application/octet-stream]
Saving to: ‘python-3.12.2-amd64.exe’

python-3.12.2-amd64 100%[===================>]  25.43M   734KB/s    in 32s     

2024-03-09 23:54:59 (820 KB/s) - ‘python-3.12.2-amd64.exe’ saved [26667456/26667456]

user@disp5109:~/Downloads$ 
user@disp5109:~/Downloads$ wget https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe.asc
--2024-03-09 23:57:10--  https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe.asc
Resolving www.python.org (www.python.org)... 146.75.0.223, 2a04:4e42:70::223
Connecting to www.python.org (www.python.org)|146.75.0.223|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 836 [application/octet-stream]
Saving to: ‘python-3.12.2-amd64.exe.asc’

python-3.12.2-amd64 100%[===================>]     836  --.-KB/s    in 0s      

2024-03-09 23:57:12 (151 MB/s) - ‘python-3.12.2-amd64.exe.asc’ saved [836/836]

user@disp5109:~/Downloads$ 
user@disp5109:~/Downloads$ gpg --verify python-3.12.2-amd64.exe.asc 
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: assuming signed data in 'python-3.12.2-amd64.exe'
gpg: Signature made Tue 06 Feb 2024 05:41:09 PM -05
gpg:                using RSA key FC624643487034E5
gpg: Can't check signature: No public key
user@disp5109:~/Downloads$

It looks like Python has a designated person as a Release Manager for each version of Python. Additionally, they have a designated person just for signing their Windows releases:

OpenPGP Public Keys

Source and binary executables are signed by the release manager or binary builder using their OpenPGP key. Release files for currently supported releases are signed by the following:

Thomas Wouters (3.12.x and 3.13.x source files and tags) (key id: A821E680E5FA6305)
Pablo Galindo Salgado (3.10.x and 3.11.x source files and tags) (key id: 64E628F8D684696D)
Steve Dower (Windows binaries) (key id: FC62 4643 4870 34E5)
Łukasz Langa (3.8.x and 3.9.x source files and tags) (key id: B269 95E3 1025 0568)
Ned Deily (macOS binaries, 3.7.x / 3.6.x source files and tags) (key ids: 2D34 7EA6 AA65 421D and FB99 2128 6F5E 1540
Larry Hastings (3.5.x source files and tags) (key id: 3A5C A953 F73C 700D)
Benjamin Peterson (2.7.z source files and tags) (key id: 04C3 67C2 18AD D4FF and A4135B38)

I'm going to have to 3TOFU those fingerprints. Here's the commands for this

CURL="/usr/bin/curl --compressed"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
    CURL="/usr/bin/torify ${CURL}"
    WGET="/usr/bin/torify ${WGET}"
    PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
date -u +"%Y-%m-%d"

# get the file
out=$(${CURL} -s https://www.python.org/downloads/ | grep -i 'windows binaries')
echo $out
fingerprint=$(echo $out | sed 's/.*fingerprint=\([^\"]*\).*/\1/')
echo $fingerprint
url=$(echo $out | sed 's/.*href="\([^\"]*\).*/\1/')
gpg --recv-keys $fingerprint
${WGET} -O pubkey.asc "${url}"
gpg --import pubkey.asc

# checksum
date -u
sha256sum *

# gpg fingerprint
gpg --with-fingerprint --keyid-format 0xlong *
gpg --keyid-format long --list-keys
maltfield commented 7 months ago

The documentation on how to verify the signature on python releases wasn't linked-to from the actual download page (where the link to download the signature is available), so I opened this ticket with the Python project to address this:

maltfield commented 7 months ago

It looks like the libusb1 dependency for MacOS is signed, but there is no documentation on how to get the release signing key and verify releases after download, so I created this ticket to address this:

In the meantime, I guess I can 3TOFU with the following commands

REMOTE_FILES="https://github.com/libusb/libusb/releases/download/v1.0.27/libusb-1.0.27.tar.bz2.asc"

CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
    CURL="/usr/bin/torify ${CURL}"
    WGET="/usr/bin/torify ${WGET}"
    PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
date -u +"%Y-%m-%d"

# get the file
for file in ${REMOTE_FILES}; do
    wget ${file}
done

# checksum
date -u
sha256sum *

# gpg fingerprint
gpg --with-fingerprint --keyid-format 0xlong --list-packets *
maltfield commented 7 months ago

I'm struggling to find the URL for the latest version of the bottle sources in Homebrew for MacOS.

This is what we currently have

${WGET} https://homebrew.bintray.com/bottles/wget-1.20.3_2.catalina.bottle.tar.gz
${WGET} https://homebrew.bintray.com/bottles/python-3.7.8.catalina.bottle.tar.gz
${WGET} https://homebrew.bintray.com/bottles/sdl2-2.0.12_1.catalina.bottle.tar.gz
${WGET} https://homebrew.bintray.com/bottles/sdl2_image-2.0.5.catalina.bottle.tar.gz
${WGET} https://homebrew.bintray.com/bottles/sdl2_ttf-2.0.15.catalina.bottle.tar.gz
${WGET} https://homebrew.bintray.com/bottles/sdl2_mixer-2.0.4.catalina.bottle.tar.gz
${WGET} https://homebrew.bintray.com/bottles/libmodplug-0.8.9.0.catalina.bottle.1.tar.gz

Unfortunately, the above URLs have a bad cert. Now it returns a cert for domain jfrog.io. I don't know what happened there. Maybe it's a mirror or they sold the domain to someone else.

Anyway, if I bypass the cert error then I get a 403 error anyway.

I asked about this on SE:

maltfield commented 7 months ago

Ok, it looks like Bintray was some sort of file host for software deps run by JFrog, some sort of company that sells supply chain deps solution (looks like insecure just-in-time nonsense).

Anyway, bitrary shutdown in 2021

It looks like Homebrew was previously using bintray to host their bottle files, and they since moved to GitHub Packages:

maltfield commented 6 months ago

I'm able to download the manifest from the GitHub docker registry where Homebrew now stores its bottle files, but I can't figure out how to get the actual files

First, I visit the Homebrew registry on GitHub:

I type wget into the search bar and click on the specific package of interest:

I see that the latest tag is v 1.24.5, and I use that in the command below to get the manifest

# download the manifest file
curl -o manifest.json -v -H "Authorization: Bearer QQ==" -H 'Accept: application/vnd.oci.image.index.v1+json' https://ghcr.io/v2/homebrew/core/wget/manifests/1.24.5

# view the downloaded file
cat manifest.json

The manifest.json file is downloaded

}user@disp897:~/Downloads/brew-wget$ head manifest.json 
{
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:c5ae04188725dc26a627b5a6309b2c722cff1d1e01ca2dc822bfa0ef5d4bb2e7",
      "size": 2542,
      "platform": {
        "architecture": "arm64",
        "os": "darwin",
user@disp897:~/Downloads/brew-wget$

TODO: figure out how to parse the manifest.json file and download the actual bottle files using the digest entries in the manifest file

maltfield commented 6 months ago

I thought maybe it would be easier to use docker to pull the image than wget, but it complains that my OS isn't supported. Well, duh, I'm just trying to download a file for MacOS on Linux. I don't want to try to run it. Why can't I ignore the platform and force the download?

I tried to override the default platform with --platform but it didn't work

user@disp897:~/Downloads/brew-wget$ sudo docker pull --platform "darwin/amd64" ghcr.io/homebrew/core/wget:1.24.5@sha256:4aaf14c52742ecc48d5186d9cabc03f5e31511f810b27df4498f7ef75bcedec6
ghcr.io/homebrew/core/wget@sha256:4aaf14c52742ecc48d5186d9cabc03f5e31511f810b27df4498f7ef75bcedec6: Pulling from homebrew/core/wget
operating system is not supported
user@disp897:~/Downloads/brew-wget$

But even when I tried it on MacOS, I got the same error

maltfield@host ~ % docker pull ghcr.io/homebrew/core/wget:1.24.5@sha256:4aaf14c52742ecc48d5186d9cabc03f5e31511f810b27df4498f7ef75bcedec6
ghcr.io/homebrew/core/wget@sha256:4aaf14c52742ecc48d5186d9cabc03f5e31511f810b27df4498f7ef75bcedec6: Pulling from homebrew/core/wget
ffc49a5064a0: Downloading  16.54kB/1.615MB
operating system is not supported
maltfield@host ~ %

I tried an older version of wget that specifically listed darwin/macos 10.15.7/amd64. But it failed too

maltfield@host ~ % /usr/bin/sw_vers
ProductName:    Mac OS X
ProductVersion: 10.15.7
BuildVersion:   19H1922
maltfield@host ~ % 

maltfield@host ~ % docker pull ghcr.io/homebrew/core/wget:1.21.3@sha256:9972a4fb3bf555bbfa18f2b117b2dd761c847ed6394116d51cae90ab50a0a1c4
ghcr.io/homebrew/core/wget@sha256:9972a4fb3bf555bbfa18f2b117b2dd761c847ed6394116d51cae90ab50a0a1c4: Pulling from homebrew/core/wget
2aadef5aae81: Pulling fs layer 
operating system is not supported
maltfield@host ~ %
maltfield commented 6 months ago

See also:

maltfield commented 6 months ago

I asked a more general question on SE about how to download a GitHub Package file from the GitHub Container Registry:

maltfield commented 6 months ago

I've been in contact with the libusb devs on the issue linked-above, and they said they'll look into adding docs listing their PGP keys used to signed their release. In the meantime, the dev said his signing fingerprint is listed on his launchpad page:

So, similar to the python 3TOFU above, here's some commands to verify this on the one domain.

CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
    CURL="/usr/bin/torify ${CURL}"
    WGET="/usr/bin/torify ${WGET}"
    PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
date -u +"%Y-%m-%d"

# get the file
out=$(${CURL} -s https://launchpad.net/~tormodvolden | grep -iA 20 'pgp-keys')
echo $out
fingerprints=$(echo $out | sed 's%.*\([A-Z0-9]\{40\}\).*\([A-Z0-9]\{40\}\).*\([A-Z0-9]\{40\}\).*%\1\n\2\n\3%')
echo $fingerprints

for fingerprint in $fingerprints; do
  gpg --recv-keys $fingerprint
done

# checksum
date -u
sha256sum *

# gpg fingerprint
gpg --with-fingerprint --keyid-format 0xlong *
gpg --keyid-format long --list-keys
maltfield commented 6 months ago

I still don't see any way to upgrade the brew dependencies, but I don't want to keep this ticket blocked.

I just committed a change to the build/deps/download.sh file with the latest versions of all other dependencies, and I'll proceed with 3TOFU for them now.

maltfield commented 6 months ago

Here's TOFU 1/3 (VPN, exit in Germany) of the download.sh script

user@buskill:~/sandbox/buskill-app$ build/deps/download.sh 
+ sudo apt-get -y install python3-pip python3-setuptools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
python3-pip is already the newest version (20.3.4-4+deb11u1).
python3-setuptools is already the newest version (52.0.0-4).
The following packages were automatically installed and are no longer required:
  ethtool libbotan-2-17 libtspi1 linux-image-5.10.0-10-amd64 linux-image-5.10.0-13-amd64
  linux-image-5.10.0-14-amd64 linux-image-5.10.0-15-amd64 linux-image-5.10.0-16-amd64
  linux-image-5.10.0-17-amd64 linux-image-5.10.0-18-amd64 linux-image-5.10.0-19-amd64
  linux-image-5.10.0-20-amd64 linux-image-5.10.0-21-amd64 linux-image-5.10.0-22-amd64
  linux-image-5.10.0-23-amd64 linux-image-5.10.0-25-amd64 linux-image-5.10.0-26-amd64
  net-tools sse3-support
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
+ CURL=/usr/bin/curl
+ WGET='/usr/bin/wget --retry-on-host-error --retry-connrefused'
+ PYTHON=/usr/bin/python3
++ whoami
+ [[ user == \a\m\n\e\s\i\a ]]
++ mktemp -d
+ tmpDir=/tmp/tmp.fKqFvVVPph
+ pushd /tmp/tmp.fKqFvVVPph
/tmp/tmp.fKqFvVVPph ~/sandbox/buskill-app
+ head -n1
+ /usr/bin/curl -s https://ifconfig.co/country
Germany
+ head -n1
+ /usr/bin/curl -s https://check.torproject.org
+ grep Congratulations
+ date -u +%Y-%m-%d
2024-03-15
...
+ sha256sum altgraph-0.17.4-py2.py3-none-any.whl appimagetool-x86_64.AppImage certifi-2024.2.2-py3-none-any.whl charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl distlib-0.3.8-py2.py3-none-any.whl docutils-0.20.1-py3-none-any.whl filelock-3.13.1-py3-none-any.whl future-1.0.0-py3-none-any.whl idna-3.6-py3-none-any.whl importlib_metadata-7.0.2-py3-none-any.whl Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl Kivy-2.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl kivy_deps.angle-0.4.0-cp37-cp37m-win_amd64.whl kivy_deps.glew-0.3.1-cp37-cp37m-win_amd64.whl kivy_deps.sdl2-0.7.0-cp37-cp37m-win_amd64.whl Kivy_Garden-0.1.5-py3-none-any.whl libusb-1.0.27.tar.bz2 libusb-1.0.27.tar.bz2.asc macholib-1.16.3-py2.py3-none-any.whl packaging-24.0-py3-none-any.whl pefile-2023.2.7-py3-none-any.whl pip-24.0-py3-none-any.whl platformdirs-4.2.0-py3-none-any.whl pygments-2.17.2-py3-none-any.whl pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl pypiwin32-223-py3-none-any.whl python-3.12.2-amd64.exe python-3.12.2-amd64.exe.asc python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage pywin32-306-cp37-cp37m-win_amd64.whl pywin32_ctypes-0.2.2-py3-none-any.whl requests-2.31.0-py3-none-any.whl setuptools-69.1.1-py3-none-any.whl squashfs4.4.tar.gz urllib3-2.2.1-py3-none-any.whl virtualenv-20.25.1-py3-none-any.whl wheel-0.42.0-py3-none-any.whl zipp-3.18.1-py3-none-any.whl
642743b4750de17e655e6711601b077bc6598dbfa3ba5fa2b2a35ce12b508dff  altgraph-0.17.4-py2.py3-none-any.whl
df3baf5ca5facbecfc2f3fa6713c29ab9cefa8fd8c1eac5d283b79cab33e4acb  appimagetool-x86_64.AppImage
dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1  certifi-2024.2.2-py3-none-any.whl
b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796  charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784  distlib-0.3.8-py2.py3-none-any.whl
96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6  docutils-0.20.1-py3-none-any.whl
57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c  filelock-3.13.1-py3-none-any.whl
929292d34f5872e70396626ef385ec22355a1fae8ad29e1a734c3e43f9fbc216  future-1.0.0-py3-none-any.whl
c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f  idna-3.6-py3-none-any.whl
f4bc4c0c070c490abf4ce96d715f68e95923320370efb66143df00199bb6c100  importlib_metadata-7.0.2-py3-none-any.whl
d2c6a411e2d837684d91b46231dd12db74fb1db6a2628e9f27581ce1583e5c8a  Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl
3be8db1eecc2d18859a7324b5cea79afb44095ccd73671987840afa26c68b0c9  Kivy-2.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
48592ac6f7c183c5cd10d9ebe43d4148d0b2b9e400a2b0bcb5d21014cc929ce2  kivy_deps.angle-0.4.0-cp37-cp37m-win_amd64.whl
d64a8625799fab7a7efeb3661ef8779a7f9c6d80da53eed87a956320f55530fa  kivy_deps.glew-0.3.1-cp37-cp37m-win_amd64.whl
95005fb3ae5b9e1d5edd32a6c0cfae9019efa2aeb3d909738dd73c5b9eea9dc1  kivy_deps.sdl2-0.7.0-cp37-cp37m-win_amd64.whl
ef50f44b96358cf10ac5665f27a4751bb34ef54051c54b93af891f80afe42929  Kivy_Garden-0.1.5-py3-none-any.whl
ffaa41d741a8a3bee244ac8e54a72ea05bf2879663c098c82fc5757853441575  libusb-1.0.27.tar.bz2
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
0e315d7583d38b8c77e815b1ecbdbf504a8258d8b3e17b61165c6feb60d18f2c  macholib-1.16.3-py2.py3-none-any.whl
2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5  packaging-24.0-py3-none-any.whl
da185cd2af68c08a6cd4481f7325ed600a88f6a813bad9dea07ab3ef73d8d8d6  pefile-2023.2.7-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068  platformdirs-4.2.0-py3-none-any.whl
b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c  pygments-2.17.2-py3-none-any.whl
7c76bfcb624803c311fa8fb137e4780d0ec86d11b7d90a8f43f185e2554afdcc  pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl
6701752d525e1f4eda1eaec2c2affc206171e15c7a4e188a152fcf3ed3308024  pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl
67adf399debc1d5d14dffc1ab5acacb800da569754fafdc576b2a039485aa775  pypiwin32-223-py3-none-any.whl
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65  python-3.12.2-amd64.exe
c85b82d619e6afd1731ef77761f47bc11eaff4ad51566fe692a484abd2c9bc58  python-3.12.2-amd64.exe.asc
4310f4c6e6972dbb01162fcd2bd887e111ba095c84242844f185aec5fc7ed0bd  python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage
72c5f621542d7bdd4fdb716227be0dd3f8565c11b280be6315b06ace35487d36  pywin32-306-cp37-cp37m-win_amd64.whl
bf490a1a709baf35d688fe0ecf980ed4de11d2b3e37b51e5442587a75d9957e7  pywin32_ctypes-0.2.2-py3-none-any.whl
58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f  requests-2.31.0-py3-none-any.whl
02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56  setuptools-69.1.1-py3-none-any.whl
a981b3f3f2054b5a2e658851a3c06a2460ad04a9a8a645e0afe063a63fdbb07e  squashfs4.4.tar.gz
450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d  urllib3-2.2.1-py3-none-any.whl
961c026ac520bac5f69acb8ea063e8a4f071bcc9457b9c1f28f6b085c511583a  virtualenv-20.25.1-py3-none-any.whl
177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d  wheel-0.42.0-py3-none-any.whl
206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b  zipp-3.18.1-py3-none-any.whl
user@buskill:~/sandbox/buskill-app$

For some reason the python TOFU is failing; the curl command is returning binary for some reason

...
Germany
2024-03-15

http://: Invalid host name.
gpg: no valid OpenPGP data found.
...

Update: I figured out this is fixed if I add the --compressed argument to curl, but only after I tried switching VPN servers a few times. So this one comes from Hungary while the rest were Germany

user@disp897:/tmp/tmp.gH8d1MlrTD$ CURL="/usr/bin/curl --compressed"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
        CURL="/usr/bin/torify ${CURL}"
        WGET="/usr/bin/torify ${WGET}"
        PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
date -u +"%Y-%m-%d"

# get the file
out=$(${CURL} -s https://www.python.org/downloads/ | grep -i 'windows binaries') 
echo $out
fingerprint=$(echo $out | sed 's/.*fingerprint=\([^\"]*\).*/\1/')
echo $fingerprint
url=$(echo $out | sed 's/.*href="\([^\"]*\).*/\1/')
gpg --recv-keys $fingerprint
${WGET} -O pubkey.asc "${url}"
gpg --import pubkey.asc

# checksum
date -u
sha256sum *

# gpg fingerprint
gpg --with-fingerprint --keyid-format 0xlong *
gpg --keyid-format long --list-keys
bash: user: command not found
/tmp/tmp.aQajAFyYPg /tmp/tmp.gH8d1MlrTD /tmp/tmp.aQ3uHh4PqB /tmp/tmp.JObAoTVbyJ /tmp/tmp.UjqkRDTK6A ~
Hungary
2024-03-16
<li><a class="reference external" href="https://keybase.io/stevedower/">Steve Dower (Windows binaries)</a> (key id: <a class="reference external" href="https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5">FC62 4643 4870 34E5</a>)</li>
7ed10b6531d7c8e1bc296021fc624643487034e5
gpg: key FC624643487034E5: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
--2024-03-15 19:25:01--  https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5
Resolving keybase.io (keybase.io)... 52.73.79.142, 54.164.129.34
Connecting to keybase.io (keybase.io)|52.73.79.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3182 (3.1K) [text/plain]
Saving to: ‘pubkey.asc’

pubkey.asc          100%[===================>]   3.11K  --.-KB/s    in 0s      

2024-03-15 19:25:05 (88.8 MB/s) - ‘pubkey.asc’ saved [3182/3182]

gpg: key FC624643487034E5: public key "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Sat 16 Mar 2024 12:25:05 AM UTC
6540096672a54a25e30f37e8700b98a94ba79b047b96a38df91db798f94a38e9  pubkey.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0xFC624643487034E5 2015-04-06 [SC]
      Key fingerprint = 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5
uid                             Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/0xE314D10907F87583 2015-04-06 [E]
/home/user/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

user@disp897:/tmp/tmp.aQajAFyYPg$

Here's libusb1

Germany
2024-03-16
--2024-03-15 19:01:53--  https://github.com/libusb/libusb/releases/download/v1.0.27/libusb-1.0.27.tar.bz2.asc
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240316%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240316T000154Z&X-Amz-Expires=300&X-Amz-Signature=e669d008a5aff134230b43da1770f628587f9a7fb5ee8eb2333aafe6a23b5dfa&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream [following]
--2024-03-15 19:01:54--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240316%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240316T000154Z&X-Amz-Expires=300&X-Amz-Signature=e669d008a5aff134230b43da1770f628587f9a7fb5ee8eb2333aafe6a23b5dfa&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [application/octet-stream]
Saving to: ‘libusb-1.0.27.tar.bz2.asc’

libusb-1.0.27.tar.b 100%[===================>]     833  --.-KB/s    in 0s      

2024-03-15 19:01:56 (77.6 MB/s) - ‘libusb-1.0.27.tar.bz2.asc’ saved [833/833]

Sat 16 Mar 2024 12:01:56 AM UTC
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid AA0639079EFB61B9
    version 4, created 1706739331, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 84 5a
    hashed subpkt 33 len 21 (issuer fpr v4 9C7EA94939C69C4FBC3DBFA8AA0639079EFB61B9)
    hashed subpkt 2 len 4 (sig created 2024-01-31)
    subpkt 16 len 8 (issuer key ID AA0639079EFB61B9)
    data: [4093 bits]
user@disp897:/tmp/tmp.JObAoTVbyJ$ 
Germany
2024-03-16
<dl id="pgp-keys"> <dt>OpenPGP keys: </dt> <dd> <span style="word-wrap: anywhere">2C2E77AB60515D499CA488EFA32D8476BAF41D0C</span><span>,</span> <span style="word-wrap: anywhere">32EAC3AA2932F7F152850C2A0ECA153961EC0EEC</span><span>,</span> <span style="word-wrap: anywhere">C68187379B23DE9EFC46651E2C80FF56C6830A0E</span> </dd> </dl>
2C2E77AB60515D499CA488EFA32D8476BAF41D0C 32EAC3AA2932F7F152850C2A0ECA153961EC0EEC C68187379B23DE9EFC46651E2C80FF56C6830A0E
gpg: key A32D8476BAF41D0C: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 0ECA153961EC0EEC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 2C80FF56C6830A0E: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
Sat 16 Mar 2024 12:02:47 AM UTC
sha256sum: '*': No such file or directory
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open '*'

So it looks like the UIDs aren't uploaded/verified for the user's key in the keyserver, but we are fetching the fingerprints at least

maltfield commented 6 months ago

For some reason I was able to fix the binary output from the python website by specifying the compression argument. I opened a bug report for them here:

maltfield commented 6 months ago

Here's TOFU 2/3 (Tor, exit location Unknown) of the download.sh script

user@host:~/QubesIncoming/buskill$ ./download.sh 
+ sudo apt-get -y install python3-pip python3-setuptools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libbotan-2-17 libopengl0 libtspi1 monero-gui
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  build-essential g++ g++-10 libexpat1-dev libpython3-dev libpython3.9-dev libstdc++-10-dev
  python-pip-whl python3-dev python3-wheel python3.9-dev zlib1g-dev
Suggested packages:
  g++-multilib g++-10-multilib gcc-10-doc libstdc++-10-doc python-setuptools-doc
The following NEW packages will be installed:
  build-essential g++ g++-10 libexpat1-dev libpython3-dev libpython3.9-dev libstdc++-10-dev
  python-pip-whl python3-dev python3-pip python3-setuptools python3-wheel python3.9-dev zlib1g-dev
0 upgraded, 14 newly installed, 0 to remove and 5 not upgraded.
Need to get 18.7 MB of archives.
After this operation, 74.2 MB of additional disk space will be used.
Get:1 tor+https://deb.debian.org/debian bullseye/main amd64 libstdc++-10-dev amd64 10.2.1-6 [1,741 kB]
Get:2 tor+https://deb.debian.org/debian bullseye/main amd64 g++-10 amd64 10.2.1-6 [9,380 kB]        
Get:3 tor+https://deb.debian.org/debian bullseye/main amd64 g++ amd64 4:10.2.1-1 [1,644 B]          
Get:4 tor+https://deb.debian.org/debian bullseye/main amd64 build-essential amd64 12.9 [7,704 B]    
Get:5 tor+https://deb.debian.org/debian bullseye/main amd64 libexpat1-dev amd64 2.2.10-2+deb11u5 [141 kB]
Get:6 tor+https://deb.debian.org/debian bullseye/main amd64 libpython3.9-dev amd64 3.9.2-1 [4,028 kB]
Get:7 tor+https://deb.debian.org/debian bullseye/main amd64 libpython3-dev amd64 3.9.2-3 [21.7 kB]  
Get:8 tor+https://deb.debian.org/debian bullseye/main amd64 python-pip-whl all 20.3.4-4+deb11u1 [1,948 kB]
Get:9 tor+https://deb.debian.org/debian bullseye/main amd64 zlib1g-dev amd64 1:1.2.11.dfsg-2+deb11u2 [191 kB]
Get:10 tor+https://deb.debian.org/debian bullseye/main amd64 python3.9-dev amd64 3.9.2-1 [515 kB]   
Get:11 tor+https://deb.debian.org/debian bullseye/main amd64 python3-dev amd64 3.9.2-3 [24.8 kB]    
Get:12 tor+https://deb.debian.org/debian bullseye/main amd64 python3-setuptools all 52.0.0-4 [366 kB]
Get:13 tor+https://deb.debian.org/debian bullseye/main amd64 python3-wheel all 0.34.2-1 [24.0 kB]   
Get:14 tor+https://deb.debian.org/debian bullseye/main amd64 python3-pip all 20.3.4-4+deb11u1 [337 kB]
Fetched 18.7 MB in 1min 34s (200 kB/s)                                                              
Selecting previously unselected package libstdc++-10-dev:amd64.
(Reading database ... 114876 files and directories currently installed.)
Preparing to unpack .../00-libstdc++-10-dev_10.2.1-6_amd64.deb ...
Unpacking libstdc++-10-dev:amd64 (10.2.1-6) ...
Selecting previously unselected package g++-10.
Preparing to unpack .../01-g++-10_10.2.1-6_amd64.deb ...
Unpacking g++-10 (10.2.1-6) ...
Selecting previously unselected package g++.
Preparing to unpack .../02-g++_4%3a10.2.1-1_amd64.deb ...
Unpacking g++ (4:10.2.1-1) ...
Selecting previously unselected package build-essential.
Preparing to unpack .../03-build-essential_12.9_amd64.deb ...
Unpacking build-essential (12.9) ...
Selecting previously unselected package libexpat1-dev:amd64.
Preparing to unpack .../04-libexpat1-dev_2.2.10-2+deb11u5_amd64.deb ...
Unpacking libexpat1-dev:amd64 (2.2.10-2+deb11u5) ...
Selecting previously unselected package libpython3.9-dev:amd64.
Preparing to unpack .../05-libpython3.9-dev_3.9.2-1_amd64.deb ...
Unpacking libpython3.9-dev:amd64 (3.9.2-1) ...
Selecting previously unselected package libpython3-dev:amd64.
Preparing to unpack .../06-libpython3-dev_3.9.2-3_amd64.deb ...
Unpacking libpython3-dev:amd64 (3.9.2-3) ...
Selecting previously unselected package python-pip-whl.
Preparing to unpack .../07-python-pip-whl_20.3.4-4+deb11u1_all.deb ...
Unpacking python-pip-whl (20.3.4-4+deb11u1) ...
Selecting previously unselected package zlib1g-dev:amd64.
Preparing to unpack .../08-zlib1g-dev_1%3a1.2.11.dfsg-2+deb11u2_amd64.deb ...
Unpacking zlib1g-dev:amd64 (1:1.2.11.dfsg-2+deb11u2) ...
Selecting previously unselected package python3.9-dev.
Preparing to unpack .../09-python3.9-dev_3.9.2-1_amd64.deb ...
Unpacking python3.9-dev (3.9.2-1) ...
Selecting previously unselected package python3-dev.
Preparing to unpack .../10-python3-dev_3.9.2-3_amd64.deb ...
Unpacking python3-dev (3.9.2-3) ...
Selecting previously unselected package python3-setuptools.
Preparing to unpack .../11-python3-setuptools_52.0.0-4_all.deb ...
Unpacking python3-setuptools (52.0.0-4) ...
Selecting previously unselected package python3-wheel.
Preparing to unpack .../12-python3-wheel_0.34.2-1_all.deb ...
Unpacking python3-wheel (0.34.2-1) ...
Selecting previously unselected package python3-pip.
Preparing to unpack .../13-python3-pip_20.3.4-4+deb11u1_all.deb ...
Unpacking python3-pip (20.3.4-4+deb11u1) ...
Setting up libstdc++-10-dev:amd64 (10.2.1-6) ...
Setting up g++-10 (10.2.1-6) ...
Setting up python3-setuptools (52.0.0-4) ...
Setting up python3-wheel (0.34.2-1) ...
Setting up libexpat1-dev:amd64 (2.2.10-2+deb11u5) ...
Setting up zlib1g-dev:amd64 (1:1.2.11.dfsg-2+deb11u2) ...
Setting up g++ (4:10.2.1-1) ...
update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ (c++) in auto mode
Setting up build-essential (12.9) ...
Setting up python-pip-whl (20.3.4-4+deb11u1) ...
Setting up libpython3.9-dev:amd64 (3.9.2-1) ...
Setting up python3-pip (20.3.4-4+deb11u1) ...
Setting up python3.9-dev (3.9.2-1) ...
Setting up libpython3-dev:amd64 (3.9.2-3) ...
Setting up python3-dev (3.9.2-3) ...
Processing triggers for man-db (2.9.4-2) ...
+ CURL=/usr/bin/curl
+ WGET='/usr/bin/wget --retry-on-host-error --retry-connrefused'
+ PYTHON=/usr/bin/python3
++ whoami
+ [[ user == \a\m\n\e\s\i\a ]]
++ mktemp -d
+ tmpDir=/tmp/tmp.PmLGuvVW1y
+ pushd /tmp/tmp.PmLGuvVW1y
/tmp/tmp.PmLGuvVW1y ~/QubesIncoming/buskill
+ /usr/bin/curl -s https://ifconfig.co/country
+ head -n1
<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131}button,html{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}@media (prefers-color-scheme:dark){body{background-color:#222;color:#d9d9d9}body a{color:#fff}body a:hover{color:#ee730a;text-decoration:underline}body .lds-ring div{border-color:#999 transparent transparent}body .font-red{color:#b20f03}body .big-button,body .pow-button{background-color:#4693ff;color:#1d1d1d}body #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body #challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}}body{display:flex;flex-direction:column;min-height:100vh}body.no-js .loading-spinner{visibility:hidden}body.no-js .challenge-running{display:none}body.dark{background-color:#222;color:#d9d9d9}body.dark a{color:#fff}body.dark a:hover{color:#ee730a;text-decoration:underline}body.dark .lds-ring div{border-color:#999 transparent transparent}body.dark .font-red{color:#b20f03}body.dark .big-button,body.dark .pow-button{background-color:#4693ff;color:#1d1d1d}body.dark #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjZDlkOWQ5IiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body.dark #challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}body.light{background-color:transparent;color:#313131}body.light a{color:#0051c3}body.light a:hover{color:#ee730a;text-decoration:underline}body.light .lds-ring div{border-color:#595959 transparent transparent}body.light .font-red{color:#fc574a}body.light .big-button,body.light .pow-button{background-color:#003681;border-color:#003681;color:#fff}body.light #challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=)}body.light #challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI2ZjNTc0YSIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjZmM1NzRhIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+)}a{background-color:transparent;color:#0051c3;text-decoration:none;transition:color .15s ease}a:hover{color:#ee730a;text-decoration:underline}.main-content{margin:8rem auto;max-width:60rem;width:100%}.heading-favicon{height:2rem;margin-right:.5rem;width:2rem}@media (width <= 720px){.main-content{margin-top:4rem}.heading-favicon{height:1.5rem;width:1.5rem}}.footer,.main-content{padding-left:1.5rem;padding-right:1.5rem}.main-wrapper{align-items:center;display:flex;flex:1;flex-direction:column}.font-red{color:#b20f03}.spacer{margin:2rem 0}.h1{font-size:2.5rem;font-weight:500;line-height:3.75rem}.h2{font-weight:500}.core-msg,.h2{font-size:1.5rem;line-height:2.25rem}.body-text,.core-msg{font-weight:400}.body-text{font-size:1rem;line-height:1.25rem}@media (width <= 720px){.h1{font-size:1.5rem;line-height:1.75rem}.h2{font-size:1.25rem}.core-msg,.h2{line-height:1.5rem}.core-msg{font-size:1rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI2ZjNTc0YSIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjZmM1NzRhIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+);padding-left:34px}#challenge-error-text,#challenge-success-text{background-repeat:no-repeat;background-size:contain}#challenge-success-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSIgdmlld0JveD0iMCAwIDI2IDI2Ij48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJNMTMgMGExMyAxMyAwIDEgMCAwIDI2IDEzIDEzIDAgMCAwIDAtMjZtMCAyNGExMSAxMSAwIDEgMSAwLTIyIDExIDExIDAgMCAxIDAgMjIiLz48cGF0aCBmaWxsPSIjMzEzMTMxIiBkPSJtMTAuOTU1IDE2LjA1NS0zLjk1LTQuMTI1LTEuNDQ1IDEuMzg1IDUuMzcgNS42MSA5LjQ5NS05LjYtMS40Mi0xLjQwNXoiLz48L3N2Zz4=);padding-left:42px}.text-center{text-align:center}.big-button{border:.063rem solid #0051c3;border-radius:.313rem;font-size:.875rem;line-height:1.313rem;padding:.375rem 1rem;transition-duration:.2s;transition-property:background-color,border-color,color;transition-timing-function:ease}.big-button:hover{cursor:pointer}.captcha-prompt:not(.hidden){display:flex}@media (width <= 720px){.captcha-prompt:not(.hidden){flex-wrap:wrap;justify-content:center}}.pow-button{background-color:#0051c3;color:#fff;margin:2rem 0}.pow-button:hover{background-color:#003681;border-color:#003681;color:#fff}.footer{font-size:.75rem;line-height:1.125rem;margin:0 auto;max-width:60rem;width:100%}.footer-inner{border-top:1px solid #d9d9d9;padding-bottom:1rem;padding-top:1rem}.clearfix:after{clear:both;content:"";display:table}.clearfix .column{float:left;padding-right:1.5rem;width:50%}.diagnostic-wrapper{margin-bottom:.5rem}.footer .ray-id{text-align:center}.footer .ray-id code{font-family:monaco,courier,monospace}.core-msg,.zone-name-title{overflow-wrap:break-word}@media (width <= 720px){.diagnostic-wrapper{display:flex;flex-wrap:wrap;justify-content:center}.clearfix:after{clear:none;content:none;display:initial;text-align:center}.column{padding-bottom:2rem}.clearfix .column{float:none;padding:0;width:auto;word-break:keep-all}.zone-name-title{margin-bottom:1rem}}.loading-spinner{height:76.391px}.lds-ring{display:inline-block;position:relative}.lds-ring,.lds-ring div{height:1.875rem;width:1.875rem}.lds-ring div{animation:lds-ring 1.2s cubic-bezier(.5,0,.5,1) infinite;border:.3rem solid transparent;border-radius:50%;border-top-color:#313131;box-sizing:border-box;display:block;position:absolute}.lds-ring div:first-child{animation-delay:-.45s}.lds-ring div:nth-child(2){animation-delay:-.3s}.lds-ring div:nth-child(3){animation-delay:-.15s}@keyframes lds-ring{0%{transform:rotate(0)}to{transform:rotate(1turn)}}@media screen and (-ms-high-contrast:active),screen and (-ms-high-contrast:none){.main-wrapper,body{display:block}}</style><meta http-equiv="refresh" content="375"></head><body class="no-js"><div class="main-wrapper" role="main"><div class="main-content"><noscript><div id="challenge-error-title"><div class="h2"><span id="challenge-error-text">Enable JavaScript and cookies to continue</span></div></div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "ifconfig.co",cType: 'managed',cNounce: '77273',cRay: '865905eb7acc3a72',cHash: '95873e94d042fa0',cUPMDTk: "\/country?__cf_chl_tk=lmDUvDV6c7Y1jY.T9kBHdO_rKdJyjWeCKLxOVpxkkrs-1710636986-0.0.1.1-1471",cFPWv: 'b',cTTimeMs: '1000',cMTimeMs: '375000',cTplV: 5,cTplB: 'cf',cK: "visitor-time",fa: "\/country?__cf_chl_f_tk=lmDUvDV6c7Y1jY.T9kBHdO_rKdJyjWeCKLxOVpxkkrs-1710636986-0.0.1.1-1471",md: "JkaqzEMCKwPmVGrE1MUjziZG7vpJsNb_QVVT82vaxfM-1710636986-1.1.1.1-ZzzRL5uCQw4GchLC_zj3ppWCMzf2m3FVh2YI4VkLH0EuwkrAE4J9DoDsf8N37RFXaPADu8HSlqE6WLUSgt2Lkvw9oE.I7sxDExDtBptqmkksGMFL2CHLLtrv9Aq.MN_n_D7p87HItGJyL.h1u_yoH4nUp.5xVM98XZ4.jZW9LQQzO_bdMGrrkCAlD_wbqggWCHs_CTbLjlWrxxmur0IB2.mnooddi8Uf_nbKIdDeuM2hbbbCKcYXfSx5cE6T4FiUhiva42HK6jLUscA5yk_5kkrtqResw9rORbwNEhEiDGh1FBn3ZxJ8sO0azRWKQ8NuBbqc.Gotb2XOpbGBr0VkbLtawY4Nm9bZSoCTU62zuv8X6tvcSjKIJPHOrvvYGErloHUTwx.Me0mOTIJ9XnYfVP4sVhUC4avxCj5FE_hUY5q5b9axUMIclNjVuy7.DSwuCqjRjHVTZrowxTtBvunQwi3yn4hYErY50InZVQbmmGgwdGZVIhx8Bu2EFc5Cj5qizyglgeg6wPVpQ2XsGTiIPa_5yU2w6f0x7Hr6WMn8zreUHwC4VeMEh85y2JNqtbgv.ITp5GTqRFudE072Fk56TTTqJ98ldhIA8klsIxa2rj1xs.KkzPPC6XmJIUDuGySGewxgBMZ2PqsM2HwmXnooBmLVAcOD3urqVFvU_NMJPXMLB3IXyZ1ZWKacRXKWRT000TrmB0PfrvKtFO8eJOw1fE6MFM3BXt8OGBStr9SeO48QeuVciRkv2vHP06yad5STpV4na29ZhXLOG4FPPkqS2r7wL53yntzFnMOtR77a4Y.pm_QaLH9bJWCIkh66jEv8N4abtyB3gxGc.phojvt6omppSdaEtAsf6eBxFIGtzl36_37Ne03bmhtrapJidRVy.715ax2xlxsW331HOh0yxUwhyF1lilPJhT_h5mT1tyFvToCIUgEn6Tjc2kLXIr2bAer3o4B1Rx1.ccqhOoyqsiPs5.Nm52hbSUPO23VUFOtTxpdwbgqlTvNJ1oz_CGlL9FOxtR_vqaViK2gqdV18JIowVA0edcj1VG1YkndzXYm6CWxFY3eZBgqkXRBHRiv6vXB7DkqQer9AlreMS3NhCKKt3UCQXbvtHmNpK00UFaMQhI5hIsm6KwBb9Y8CJVXGcdERjzsAHK8Yx6ZduKABA4sNcPTGHGLYj8p8u09ECwKMuxaV2dL0OQ6LKVF9pBNsmh3cF8jDQ_bygbDZYDFA5aROQpXD.7axQpdmOAiy8Yyr90x5WKmghiY737UokrWG85N93V4Vt3B3wte51IrjpJwwanpeusLarqvfG_0vwRcOxw0aq7Tafs7H3LXrxo_jhixwvoPG8zSpgqULqjCcxqSmsXQ1boFJn5XU1QOyi2d0hUdRTtXuwehMkIb3gndU",mdrd: "n46gbF9kycfbnM5IYcnmGtsCZWfu6419tcUSFtv.he8-1710636986-1.1.1.1-sxnMCq_tqWcP0VYDpYGZec4GOkw29BinVsfsuxhASZFcpSeIlUQkFvyqr2.OfTSTK2skmTLZ52kNVoJwIeez8liNDlr617C8_8qBczjA5YasBMpjHrb5oSg0relGucCIT9u1x1CYT4Wn1NC3cjkBKFxqqIkYSwOtpcBXau8t65mjwsOt1DQhqZypqqENrtHG6lEEiI_QL0XUXYrK7TpG0sl8fsQgacGSwegZFbLgfqPopVwpLA9lGh94_zGv_8ncifK0F9fHbBLhFxD5JE_fnF5C1dk0p9QOQEsyO8MRwrFnbUfk0ix4l3z3y4lO3Q.zLJkWJKboDtxAr2_29unZLOGjPA_kmxsU4O4zx.HR_qHNq3MgmfMVm60EdLpH_IzVKKO0rkJ6q1nvDzQLTNC_WTJtcKFY9bTJ_7BKGlia5Viy.P.HWBj2vk8jeTrJdnXsa5qH0xax7CEmwnahHxnCpVsD82ea1OHJ8YF4A63mraoMYYYgzlERoKMYWyYOKWUZ4O1zyNLenqupxoG1_2yWZlhC5LtwsBkBDuh8at1hw6PaxABKv6PgPh8nW4GgzWk59q5Bf6YCpAMh.t0YOQfFH4xPvm.PnBpQvw2JLCihm0ZBVAIarBMdaXTehTyfbs8qEfU_FHN1yQd16l9zuKbav2kEyOnTOZJyaY8gJTS47PPHiESvMgCzCVAsaS7n7GC2vtDxu71a3KOvw8aXc2.s2Gt2XuMoPv7BM7AZod2IULhbHOOoSJdSrBEc9vS6CIdLmMTlKkeT9E.fYolZHLBqam9BTFNN9JB_v.BjiGSBl3cFZnCmEd3Wkcb.LD.XR0vi7kIATcwr0d8U84fmF4VmC0.YSzDCef.jJi7HdwkE8c9_SbUvOhz3CZgTdlnoCZcQeWbloGB1ITaZtH0Jw7UJw98FzDVJZhU2yU0zVu9EeK4YZzqQ1eIno9txrmHzRn_jhTlJMqN11KExup1YWsiQFJlt_UmkCZJh5zO4_ITH97dBxCPU0b9fxIk8Vm2HC3hxG8Wx8oBi7B4pU_kO.iad5umiRcz9437k4P5sf6_P83bhojEVXHDo4je1ybdrWab3iiBwusP.BtqhyM49wBkbsnz.SRIERDkUB4Wa5Xjk04Ldil0SeII0RjDaSZD6_9qGNSAzsz7.Hht3NKGupXLvWEAY6VPstO2kAQpj85EbD4NuF84xushcJogpOU_4yzzhitd2DFspr3s92EKuG3Gurl1SPvCKnsMe9D0TDMoa_BsZ1YNgd_1apJKVMHs88ULsIYuV9nbRCZkEdfxDU6XNw0X0EKKtO9QHXi5m7Yl5QeOnt2q.r_bDXQcYemWwpW5iHM0zOw8LZ5RAcVWJQeFrfp1EO_uDVOy7fOppyfIMrVLBkKEXeZTK3J_Sc7UGf3lFRQpsLWR2fwUuH70So1_rv.PzynjkKmikR64CNcVoF_jmOQLWrhsh1kprW3VqBBzNxOsP9SShkjJ3MjWsh6OknMwTN8SCZO0gfGQ11YhNr.sbsSjNoEv9LtvAWxB29Ym7iK1dwJaJGuKW.Ys7WnK_Yyn_AyucVRhYsPawkpX2Shhfb_w3H5i5KlqzJT5dDKQx2hvD0eFmffJ_SRZA5kVOTZJSL5vLOxqNKphqCnvOZrlbDGTMSCL0lf8nUiR5Ea7xIC3a2_YNFc8ZUaAAsjklzl8XzDsWz6hFY290DceQ5ZnBiea99w3r5on4O5ml.DMv9T4m9SalZLlcy8JRa0ZBaYk3PjwPf323UINjIvZWMz2uCG86LXw8k977IjD3mpzWVr519x4KprDjVFsniC7rC9Me6s5FEJdDGrdxm9XCdRQXfxXzf4aAq9ckJ9DqYTGKmTrum_0LaMAIZY.qE16L33ubo44vCJyl32FE2hysYfRAWgqnirlnVXmJ_GoKhO.9",cRq: {ru: 'aHR0cHM6Ly9pZmNvbmZpZy5jby9jb3VudHJ5',ra: 'Y3VybC83Ljc0LjA=',rm: 'R0VU',d: 'AKrUUBQwdEQAZM8N2/9y3tk6nLA1avGXJi+easWe7dr/ETv09v7/4qi3R2BQlfAQxudqH2C/s0Vr8MvRhum525wWCwLCVr7iLs8WTzuNm0GZeeH5NfBzlcHecgg0TmiN+z6JadIq+6thv6104Twx5Cvtn4Ahhk+A6ReUAxpQ8Q56HgHfPpvHCj/omuWajhtJXveXZWph5/IREuCaJSotwyfom40XqAGNbrCRs5jXXuWHO2wo3vn5kMAv0h0Nv9Pacsl0po9jm8yyzV/w/MZwiyz2clplvflwP+diOK2HhTkqHM79qjyLi+RwwlrtrNceCAD/cb1EjqsC72EvTr2dsRZs2TrnOl0VUVJmXFEVIXzme5I14Fy7G99+Xj9pjkgPMErEgxfRvNklKeV+ThbBDb4KyMdLlo6bVfZfEVfAJl/FKJ1Kk9HDx5mtGLsonk+h4xq0lVM3Jgjjcv90CRPpe8euA7GwgNgumrmQT/W2oGWC3Lv71E9qWR5tXznNBGll',t: 'MTcxMDYzNjk4Ni4xNTQwMDA=',cT: Math.floor(Date.now() / 1000),m: 'ICeG1vUV6cCNM+cp7PMhP8yZt/26+CjZSo5hKaxb6e4=',i1: 'y2EGU4ZMypMROhmYLs6lzQ==',i2: '9ZsG6puIW/1fvAdGayhGTA==',zh: 'wfxagHEJWT3JG7Kg7GGlyGD+aeLZ/HC9BE3wDXuEzqE=',uh: 'zu+cQgicc5rF6Q8HHTJhdGCD3QVkjetpkn+QXGMpZBU=',hh: 'am/Zv95ZWAcmK4pRq/3uE/0XoTs/sjoPLUYI0lCN1aE=',}};var cpo = document.createElement('script');cpo.src = '/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=865905eb7acc3a72';window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;history.replaceState(null, null, "\/country?__cf_chl_rt_tk=lmDUvDV6c7Y1jY.T9kBHdO_rKdJyjWeCKLxOVpxkkrs-1710636986-0.0.1.1-1471" + window._cf_chl_opt.cOgUHash);cpo.onload = function() {history.replaceState(null, null, ogU);}}document.getElementsByTagName('head')[0].appendChild(cpo);}());</script></body></html>+ /usr/bin/curl -s https://check.torproject.org
+ head -n1
+ grep Congratulations
      Congratulations. This browser is configured to use Tor.
+ date -u +%Y-%m-%d
2024-03-17
...
+ sha256sum altgraph-0.17.4-py2.py3-none-any.whl appimagetool-x86_64.AppImage certifi-2024.2.2-py3-none-any.whl charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl distlib-0.3.8-py2.py3-none-any.whl docutils-0.20.1-py3-none-any.whl filelock-3.13.1-py3-none-any.whl future-1.0.0-py3-none-any.whl idna-3.6-py3-none-any.whl importlib_metadata-7.0.2-py3-none-any.whl Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl Kivy-2.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl kivy_deps.angle-0.4.0-cp37-cp37m-win_amd64.whl kivy_deps.glew-0.3.1-cp37-cp37m-win_amd64.whl kivy_deps.sdl2-0.7.0-cp37-cp37m-win_amd64.whl Kivy_Garden-0.1.5-py3-none-any.whl libusb-1.0.27.tar.bz2 libusb-1.0.27.tar.bz2.asc macholib-1.16.3-py2.py3-none-any.whl packaging-24.0-py3-none-any.whl pefile-2023.2.7-py3-none-any.whl pip-24.0-py3-none-any.whl platformdirs-4.2.0-py3-none-any.whl pygments-2.17.2-py3-none-any.whl pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl pypiwin32-223-py3-none-any.whl python-3.12.2-amd64.exe python-3.12.2-amd64.exe.asc python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage pywin32-306-cp37-cp37m-win_amd64.whl pywin32_ctypes-0.2.2-py3-none-any.whl requests-2.31.0-py3-none-any.whl setuptools-69.1.1-py3-none-any.whl squashfs4.4.tar.gz urllib3-2.2.1-py3-none-any.whl virtualenv-20.25.1-py3-none-any.whl wheel-0.42.0-py3-none-any.whl zipp-3.18.1-py3-none-any.whl
642743b4750de17e655e6711601b077bc6598dbfa3ba5fa2b2a35ce12b508dff  altgraph-0.17.4-py2.py3-none-any.whl
df3baf5ca5facbecfc2f3fa6713c29ab9cefa8fd8c1eac5d283b79cab33e4acb  appimagetool-x86_64.AppImage
dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1  certifi-2024.2.2-py3-none-any.whl
b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796  charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784  distlib-0.3.8-py2.py3-none-any.whl
96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6  docutils-0.20.1-py3-none-any.whl
57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c  filelock-3.13.1-py3-none-any.whl
929292d34f5872e70396626ef385ec22355a1fae8ad29e1a734c3e43f9fbc216  future-1.0.0-py3-none-any.whl
c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f  idna-3.6-py3-none-any.whl
f4bc4c0c070c490abf4ce96d715f68e95923320370efb66143df00199bb6c100  importlib_metadata-7.0.2-py3-none-any.whl
d2c6a411e2d837684d91b46231dd12db74fb1db6a2628e9f27581ce1583e5c8a  Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl
3be8db1eecc2d18859a7324b5cea79afb44095ccd73671987840afa26c68b0c9  Kivy-2.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
48592ac6f7c183c5cd10d9ebe43d4148d0b2b9e400a2b0bcb5d21014cc929ce2  kivy_deps.angle-0.4.0-cp37-cp37m-win_amd64.whl
d64a8625799fab7a7efeb3661ef8779a7f9c6d80da53eed87a956320f55530fa  kivy_deps.glew-0.3.1-cp37-cp37m-win_amd64.whl
95005fb3ae5b9e1d5edd32a6c0cfae9019efa2aeb3d909738dd73c5b9eea9dc1  kivy_deps.sdl2-0.7.0-cp37-cp37m-win_amd64.whl
ef50f44b96358cf10ac5665f27a4751bb34ef54051c54b93af891f80afe42929  Kivy_Garden-0.1.5-py3-none-any.whl
ffaa41d741a8a3bee244ac8e54a72ea05bf2879663c098c82fc5757853441575  libusb-1.0.27.tar.bz2
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
0e315d7583d38b8c77e815b1ecbdbf504a8258d8b3e17b61165c6feb60d18f2c  macholib-1.16.3-py2.py3-none-any.whl
2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5  packaging-24.0-py3-none-any.whl
da185cd2af68c08a6cd4481f7325ed600a88f6a813bad9dea07ab3ef73d8d8d6  pefile-2023.2.7-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068  platformdirs-4.2.0-py3-none-any.whl
b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c  pygments-2.17.2-py3-none-any.whl
7c76bfcb624803c311fa8fb137e4780d0ec86d11b7d90a8f43f185e2554afdcc  pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl
6701752d525e1f4eda1eaec2c2affc206171e15c7a4e188a152fcf3ed3308024  pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl
67adf399debc1d5d14dffc1ab5acacb800da569754fafdc576b2a039485aa775  pypiwin32-223-py3-none-any.whl
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65  python-3.12.2-amd64.exe
c85b82d619e6afd1731ef77761f47bc11eaff4ad51566fe692a484abd2c9bc58  python-3.12.2-amd64.exe.asc
4310f4c6e6972dbb01162fcd2bd887e111ba095c84242844f185aec5fc7ed0bd  python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage
72c5f621542d7bdd4fdb716227be0dd3f8565c11b280be6315b06ace35487d36  pywin32-306-cp37-cp37m-win_amd64.whl
bf490a1a709baf35d688fe0ecf980ed4de11d2b3e37b51e5442587a75d9957e7  pywin32_ctypes-0.2.2-py3-none-any.whl
58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f  requests-2.31.0-py3-none-any.whl
02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56  setuptools-69.1.1-py3-none-any.whl
a981b3f3f2054b5a2e658851a3c06a2460ad04a9a8a645e0afe063a63fdbb07e  squashfs4.4.tar.gz
450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d  urllib3-2.2.1-py3-none-any.whl
961c026ac520bac5f69acb8ea063e8a4f071bcc9457b9c1f28f6b085c511583a  virtualenv-20.25.1-py3-none-any.whl
177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d  wheel-0.42.0-py3-none-any.whl
206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b  zipp-3.18.1-py3-none-any.whl
user@host:~/QubesIncoming/buskill$

Here's python

Congratulations. This browser is configured to use Tor.
2024-03-17
<li><a class="reference external" href="https://keybase.io/stevedower/">Steve Dower (Windows binaries)</a> (key id: <a class="reference external" href="https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5">FC62 4643 4870 34E5</a>)</li>
7ed10b6531d7c8e1bc296021fc624643487034e5
gpg: key 0xFC624643487034E5: "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
--2024-03-17 02:04:36--  https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5
Resolving keybase.io (keybase.io)... 52.73.79.142
Connecting to keybase.io (keybase.io)|52.73.79.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3182 (3.1K) [text/plain]
Saving to: ‘pubkey.asc’

pubkey.asc          100%[===================>]   3.11K  --.-KB/s    in 0s      

2024-03-17 02:04:39 (95.5 MB/s) - ‘pubkey.asc’ saved [3182/3182]

gpg: key 0xFC624643487034E5: "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
Sun 17 Mar 2024 02:04:39 AM UTC
6540096672a54a25e30f37e8700b98a94ba79b047b96a38df91db798f94a38e9  pubkey.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0xFC624643487034E5 2015-04-06 [SC]
      Key fingerprint = 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5
uid                             Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/0xE314D10907F87583 2015-04-06 [E]
/home/user/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

user@host:/tmp/tmp.iPLV42thGf$

And libusb

Congratulations. This browser is configured to use Tor.
2024-03-17
--2024-03-17 02:04:46--  https://github.com/libusb/libusb/releases/download/v1.0.27/libusb-1.0.27.tar.bz2.asc
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240317%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240317T020449Z&X-Amz-Expires=300&X-Amz-Signature=96116f4de27d9c84dd63a33afc308f46153b90e045e254dadff5d831edf7ce34&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream [following]
--2024-03-17 02:04:50--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240317%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240317T020449Z&X-Amz-Expires=300&X-Amz-Signature=96116f4de27d9c84dd63a33afc308f46153b90e045e254dadff5d831edf7ce34&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [application/octet-stream]
Saving to: ‘libusb-1.0.27.tar.bz2.asc’

libusb-1.0.27.tar.bz 100%[====================>]     833  --.-KB/s    in 0s      

2024-03-17 02:04:53 (151 MB/s) - ‘libusb-1.0.27.tar.bz2.asc’ saved [833/833]

Sun 17 Mar 2024 02:04:53 AM UTC
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid AA0639079EFB61B9
    version 4, created 1706739331, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 84 5a
    hashed subpkt 33 len 21 (issuer fpr v4 9C7EA94939C69C4FBC3DBFA8AA0639079EFB61B9)
    hashed subpkt 2 len 4 (sig created 2024-01-31)
    subpkt 16 len 8 (issuer key ID AA0639079EFB61B9)
    data: [4093 bits]
user@host:/tmp/tmp.5epXZvOUNX$ 
Congratulations. This browser is configured to use Tor.
2024-03-17
<dl id="pgp-keys"> <dt>OpenPGP keys: </dt> <dd> <span style="word-wrap: anywhere">2C2E77AB60515D499CA488EFA32D8476BAF41D0C</span><span>,</span> <span style="word-wrap: anywhere">32EAC3AA2932F7F152850C2A0ECA153961EC0EEC</span><span>,</span> <span style="word-wrap: anywhere">C68187379B23DE9EFC46651E2C80FF56C6830A0E</span> </dd> </dl>
2C2E77AB60515D499CA488EFA32D8476BAF41D0C 32EAC3AA2932F7F152850C2A0ECA153961EC0EEC C68187379B23DE9EFC46651E2C80FF56C6830A0E
gpg: key 0xA32D8476BAF41D0C: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 0x0ECA153961EC0EEC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 0x2C80FF56C6830A0E: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
Sun 17 Mar 2024 02:05:24 AM UTC
sha256sum: '*': No such file or directory
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open '*'
/home/user/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

user@host:/tmp/tmp.Xw0aA8ILjA$
maltfield commented 6 months ago

Here's TOFU 3/3 (ISP, exit in Ecuador) of the download.sh script

user@disp4921:~$ QubesIncoming/buskill/download.sh 
+ sudo apt-get -y install python3-pip python3-setuptools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  librnp0 linux-image-6.1.0-10-amd64 linux-image-6.1.0-11-amd64 linux-image-6.1.0-13-amd64
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  python3-wheel
Suggested packages:
  python-setuptools-doc
The following NEW packages will be installed:
  python3-pip python3-setuptools python3-wheel
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,877 kB of archives.
After this operation, 9,566 kB of additional disk space will be used.
Get:1 https://deb.debian.org/debian bookworm/main amd64 python3-setuptools all 66.1.1-1 [521 kB]
Get:2 https://deb.debian.org/debian bookworm/main amd64 python3-wheel all 0.38.4-2 [30.8 kB]
Get:3 https://deb.debian.org/debian bookworm/main amd64 python3-pip all 23.0.1+dfsg-1 [1,325 kB]
Fetched 1,877 kB in 2s (958 kB/s)        
Selecting previously unselected package python3-setuptools.
(Reading database ... 444121 files and directories currently installed.)
Preparing to unpack .../python3-setuptools_66.1.1-1_all.deb ...
Unpacking python3-setuptools (66.1.1-1) ...
Selecting previously unselected package python3-wheel.
Preparing to unpack .../python3-wheel_0.38.4-2_all.deb ...
Unpacking python3-wheel (0.38.4-2) ...
Selecting previously unselected package python3-pip.
Preparing to unpack .../python3-pip_23.0.1+dfsg-1_all.deb ...
Unpacking python3-pip (23.0.1+dfsg-1) ...
Setting up python3-setuptools (66.1.1-1) ...
Setting up python3-wheel (0.38.4-2) ...
Setting up python3-pip (23.0.1+dfsg-1) ...
Processing triggers for man-db (2.11.2-2) ...
+ CURL=/usr/bin/curl
+ WGET='/usr/bin/wget --retry-on-host-error --retry-connrefused'
+ PYTHON=/usr/bin/python3
++ whoami
+  user == \a\m\n\e\s\i\a 
++ mktemp -d
+ tmpDir=/tmp/tmp.AasZybdpC1
+ pushd /tmp/tmp.AasZybdpC1
/tmp/tmp.AasZybdpC1 ~
+ /usr/bin/curl -s https://ifconfig.co/country
+ head -n1
Ecuador
+ /usr/bin/curl -s https://check.torproject.org
+ head -n1
+ grep Congratulations
+ date -u +%Y-%m-%d
2024-03-18
...
+ sha256sum altgraph-0.17.4-py2.py3-none-any.whl certifi-2024.2.2-py3-none-any.whl charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl distlib-0.3.8-py2.py3-none-any.whl docutils-0.20.1-py3-none-any.whl filelock-3.13.1-py3-none-any.whl future-1.0.0-py3-none-any.whl idna-3.6-py3-none-any.whl Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Kivy_Garden-0.1.5-py3-none-any.whl macholib-1.16.3-py2.py3-none-any.whl packaging-24.0-py3-none-any.whl pefile-2023.2.7-py3-none-any.whl pip-24.0-py3-none-any.whl platformdirs-4.2.0-py3-none-any.whl pygments-2.17.2-py3-none-any.whl pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl pywin32_ctypes-0.2.2-py3-none-any.whl requests-2.31.0-py3-none-any.whl setuptools-69.1.1-py3-none-any.whl urllib3-2.2.1-py3-none-any.whl virtualenv-20.25.1-py3-none-any.whl wheel-0.42.0-py3-none-any.whl
642743b4750de17e655e6711601b077bc6598dbfa3ba5fa2b2a35ce12b508dff  altgraph-0.17.4-py2.py3-none-any.whl
dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1  certifi-2024.2.2-py3-none-any.whl
753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8  charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784  distlib-0.3.8-py2.py3-none-any.whl
96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6  docutils-0.20.1-py3-none-any.whl
57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c  filelock-3.13.1-py3-none-any.whl
929292d34f5872e70396626ef385ec22355a1fae8ad29e1a734c3e43f9fbc216  future-1.0.0-py3-none-any.whl
c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f  idna-3.6-py3-none-any.whl
7766baac2509d699df84b284579fa25ee31383d48893660cd8dba62081453a29  Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
ef50f44b96358cf10ac5665f27a4751bb34ef54051c54b93af891f80afe42929  Kivy_Garden-0.1.5-py3-none-any.whl
0e315d7583d38b8c77e815b1ecbdbf504a8258d8b3e17b61165c6feb60d18f2c  macholib-1.16.3-py2.py3-none-any.whl
2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5  packaging-24.0-py3-none-any.whl
da185cd2af68c08a6cd4481f7325ed600a88f6a813bad9dea07ab3ef73d8d8d6  pefile-2023.2.7-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068  platformdirs-4.2.0-py3-none-any.whl
b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c  pygments-2.17.2-py3-none-any.whl
7c76bfcb624803c311fa8fb137e4780d0ec86d11b7d90a8f43f185e2554afdcc  pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl
6701752d525e1f4eda1eaec2c2affc206171e15c7a4e188a152fcf3ed3308024  pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl
bf490a1a709baf35d688fe0ecf980ed4de11d2b3e37b51e5442587a75d9957e7  pywin32_ctypes-0.2.2-py3-none-any.whl
58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f  requests-2.31.0-py3-none-any.whl
02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56  setuptools-69.1.1-py3-none-any.whl
450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d  urllib3-2.2.1-py3-none-any.whl
961c026ac520bac5f69acb8ea063e8a4f071bcc9457b9c1f28f6b085c511583a  virtualenv-20.25.1-py3-none-any.whl
177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d  wheel-0.42.0-py3-none-any.whl
user@disp4921:~$

And python

user@disp4921:/tmp/tmp.GwZrIxFTfS$ CURL="/usr/bin/curl --compressed"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
        CURL="/usr/bin/torify ${CURL}"
        WGET="/usr/bin/torify ${WGET}"
        PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
date -u +"%Y-%m-%d"

# get the file
out=$(${CURL} -s https://www.python.org/downloads/ | grep -i 'windows binaries')
echo $out
fingerprint=$(echo $out | sed 's/.*fingerprint=\([^\"]*\).*/\1/')
echo $fingerprint
url=$(echo $out | sed 's/.*href="\([^\"]*\).*/\1/')
gpg --recv-keys $fingerprint
${WGET} -O pubkey.asc "${url}"
gpg --import pubkey.asc

# checksum
date -u
sha256sum *

# gpg fingerprint
gpg --with-fingerprint --keyid-format 0xlong *
gpg --keyid-format long --list-keys
bash: user: command not found
/tmp/tmp.1uO4yB2LUs /tmp/tmp.GwZrIxFTfS ~
Ecuador
2024-03-18
<li><a class="reference external" href="https://keybase.io/stevedower/">Steve Dower (Windows binaries)</a> (key id: <a class="reference external" href="https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5">FC62 4643 4870 34E5</a>)</li>
7ed10b6531d7c8e1bc296021fc624643487034e5
gpg: keyserver receive failed: Server indicated a failure
--2024-03-17 22:58:19--  https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5
Resolving keybase.io (keybase.io)... 54.147.197.174, 52.73.125.135
Connecting to keybase.io (keybase.io)|54.147.197.174|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3182 (3.1K) [text/plain]
Saving to: ‘pubkey.asc’

pubkey.asc                  100%[=========================================>]   3.11K  --.-KB/s    in 0s      

2024-03-17 22:58:19 (85.3 MB/s) - ‘pubkey.asc’ saved [3182/3182]

gpg: key FC624643487034E5: public key "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Mon Mar 18 03:58:19 AM UTC 2024
6540096672a54a25e30f37e8700b98a94ba79b047b96a38df91db798f94a38e9  pubkey.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0xFC624643487034E5 2015-04-06 [SC]
      Key fingerprint = 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5
uid                             Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/0xE314D10907F87583 2015-04-06 [E]
/home/user/.gnupg/pubring.kbx
--------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

user@disp4921:/tmp/tmp.1uO4yB2LUs$

And libusb

user@disp4921:/tmp/tmp.uq0FZG01IW$ REMOTE_FILES="https://github.com/libusb/libusb/releases/download/v1.0.27/libusb-1.0.27.tar.bz2.asc"

CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
        CURL="/usr/bin/torify ${CURL}"
        WGET="/usr/bin/torify ${WGET}"
        PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
date -u +"%Y-%m-%d"

# get the file
for file in ${REMOTE_FILES}; do
        wget ${file}
done

# checksum
date -u
sha256sum *

# gpg fingerprint
gpg --with-fingerprint --keyid-format 0xlong --list-packets *
bash: user: command not found
/tmp/tmp.vgjTVvzBim /tmp/tmp.uq0FZG01IW /tmp/tmp.GwZrIxFTfS
Ecuador
2024-03-18
--2024-03-17 22:56:37--  https://github.com/libusb/libusb/releases/download/v1.0.27/libusb-1.0.27.tar.bz2.asc
Resolving github.com (github.com)... 140.82.113.3
Connecting to github.com (github.com)|140.82.113.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240318%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240318T035637Z&X-Amz-Expires=300&X-Amz-Signature=ee1a49c3647cb685afbd8a357788822e9764a1d66d697663137eac48e289a767&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream [following]
--2024-03-17 22:56:37--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240318%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240318T035637Z&X-Amz-Expires=300&X-Amz-Signature=ee1a49c3647cb685afbd8a357788822e9764a1d66d697663137eac48e289a767&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [application/octet-stream]
Saving to: ‘libusb-1.0.27.tar.bz2.asc’

libusb-1.0.27.tar.b 100%[===================>]     833  --.-KB/s    in 0s      

2024-03-17 22:56:38 (105 MB/s) - ‘libusb-1.0.27.tar.bz2.asc’ saved [833/833]

Mon Mar 18 03:56:38 AM UTC 2024
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid AA0639079EFB61B9
    version 4, created 1706739331, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 84 5a
    hashed subpkt 33 len 21 (issuer fpr v4 9C7EA94939C69C4FBC3DBFA8AA0639079EFB61B9)
    hashed subpkt 2 len 4 (sig created 2024-01-31)
    subpkt 16 len 8 (issuer key ID AA0639079EFB61B9)
    data: [4093 bits]
user@disp4921:/tmp/tmp.vgjTVvzBim$ 
user@disp4921:/tmp/tmp.vgjTVvzBim$ CURL="/usr/bin/curl"
WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused"
PYTHON="/usr/bin/python3"

# in tails, we must torify
if  "`whoami`" == "amnesia" ; then
        CURL="/usr/bin/torify ${CURL}"
        WGET="/usr/bin/torify ${WGET}"
        PYTHON="/usr/bin/torify ${PYTHON}"
fi

tmpDir=`mktemp -d`
pushd "${tmpDir}"

# first get some info about our internet connection
${CURL} -s https://ifconfig.co/country | head -n1
${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

# and today's date
date -u +"%Y-%m-%d"

# get the file
out=$(${CURL} -s https://launchpad.net/~tormodvolden | grep -iA 20 'pgp-keys')
echo $out
fingerprints=$(echo $out | sed 's%.*\([A-Z0-9]\{40\}\).*\([A-Z0-9]\{40\}\).*\([A-Z0-9]\{40\}\).*%\1\n\2\n\3%')
echo $fingerprints

for fingerprint in $fingerprints; do
  gpg --recv-keys $fingerprint
done

# checksum
date -u
sha256sum *

# gpg fingerprint
gpg --with-fingerprint --keyid-format 0xlong *
gpg --keyid-format long --list-keys
bash: user: command not found
/tmp/tmp.BH3vcD7T6G /tmp/tmp.vgjTVvzBim /tmp/tmp.uq0FZG01IW /tmp/tmp.GwZrIxFTfS
Ecuador
2024-03-18
<dl id="pgp-keys"> <dt>OpenPGP keys: </dt> <dd> <span style="word-wrap: anywhere">2C2E77AB60515D499CA488EFA32D8476BAF41D0C</span><span>,</span> <span style="word-wrap: anywhere">32EAC3AA2932F7F152850C2A0ECA153961EC0EEC</span><span>,</span> <span style="word-wrap: anywhere">C68187379B23DE9EFC46651E2C80FF56C6830A0E</span> </dd> </dl>
2C2E77AB60515D499CA488EFA32D8476BAF41D0C 32EAC3AA2932F7F152850C2A0ECA153961EC0EEC C68187379B23DE9EFC46651E2C80FF56C6830A0E
gpg: keyserver receive failed: Server indicated a failure
gpg: keyserver receive failed: Server indicated a failure
gpg: keyserver receive failed: Server indicated a failure
Mon Mar 18 03:57:36 AM UTC 2024
sha256sum: '*': No such file or directory
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open '*'
user@disp4921:/tmp/tmp.BH3vcD7T6G$
maltfield commented 6 months ago

3TOFUs are not identical :(

appimagetool-x86_64.AppImage

For some reason this was identical in 1 & 2, but absent in 3

charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

This was identical in 1 & 2 but different on 3

b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796  charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796  charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8  charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Huh, the filename changed from cp39 to cp311. This isn't one we're downloading ourselves; it must have come as a depend from something else

Oh, that's the python version. cp39 for Python 3.9 and cp311 for Python 3.11. Yeah, the first executions were done on Debian 11 and the last one was Debian 12

Debian 11 has Python 3.8

user@disp8314:~$ cat /etc/issue
Debian GNU/Linux 11 \n \l

user@disp8314:~$ python3 --version
Python 3.9.2
user@disp8314:~$

Debian 12 has Python 3.9

user@disp4921:~$ cat /etc/issue
Debian GNU/Linux 12 \n \l

user@disp4921:~$ python3 --version
Python 3.11.2
user@disp4921:~$

The Tor system was Whonix, which -- annoyingly -- is going to be stuck on Python 3.9.

user@host:~$ cat /etc/whonix_version 
16
user@host:~$ python3 --version
Python 3.9.2
user@host:~$

It looks like Whonix 17 is based on Debian 12 https://www.whonix.org/wiki/Changelog#17.0.1.9

Apparently Whonix 17 was released mid last year https://fosstodon.org/@whonix/110781942474112630

Alright, I'm downloading Whonix 17 and I'll re-do the other two TOFUs with Python 3.11 https://www.whonix.org/wiki/Qubes/Install

maltfield commented 6 months ago

I tried building the buskill app in Debian 12 for the first time, but it looks like there were some iptables issues

+ iptables -A OUTPUT -m owner --uid-owner provisioner -j ACCEPT
iptables v1.8.9 (nf_tables): owner: Bad value for "--uid-owner" option: "provisioner"
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A OUTPUT -m owner --uid-owner runneradmin -j ACCEPT
iptables v1.8.9 (nf_tables): owner: Bad value for "--uid-owner" option: "runneradmin"
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A OUTPUT -m owner --uid-owner runner -j ACCEPT
iptables v1.8.9 (nf_tables): owner: Bad value for "--uid-owner" option: "runner"
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A OUTPUT -d 10.1.0.0/16 -j ACCEPT
+ iptables -A OUTPUT -j DROP
+ ip6tables-save

I disabled iptables for all but the _apt user (uid=100), but it looks like the latest version of iptables doesn't like the --uid-owner option?

Anyway, it causes a failure when trying to download the signed release from GitHub

+ /bin/su _apt -s /bin/bash -c 'wget "https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl"'
--2024-03-18 23:16:55--  https://github.com/vsajip/python-gnupg/releases/download/0.5.2/python_gnupg-0.5.2-py2.py3-none-any.whl
Resolving github.com (github.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address 'github.com'
maltfield commented 6 months ago

ok, looks like the uid of the _apt user changed from 100 to 42

user@buskill:~/sandbox/buskill-app$ grep -iE 'apt|provisioner|runneradmin|runner' /etc/passwd
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
user@buskill:~/sandbox/buskill-app$

Updating the uid fixed this issue.

maltfield commented 6 months ago

I realized that my download.sh script was fetching some python depends of the cp37 version, but now that we're updating to Python 3.12 on Windows, I had to change that.

Note that I didn't change the versions of the one file for macOS from cp37, since I still don't know how to download the latest version of Python as a bottle from brew's new GitHub Packages registry (see above).

I'm going to just start over with the 3TOFU. This time on all systems based on Debian 12 with Python 3.11 installed. And this time pulling depends for Windows running Python 3.12 (I hope I don't regret that platform discrepancy)

maltfield commented 6 months ago

Here's TOFU 1/3 (Tor, exit in United States) of the download.sh script, using Python 3.11 in Whonix 17 (based on Debian 12)

[workstation user ~/QubesIncoming/buskill]% ./download.sh
+ sudo apt-get -y install python3-pip python3-setuptools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
python3-pip is already the newest version (23.0.1+dfsg-1).
python3-setuptools is already the newest version (66.1.1-1).
The following packages were automatically installed and are no longer required:
  hexchat hexchat-common
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
+ CURL=/usr/bin/curl
+ WGET='/usr/bin/wget --retry-on-host-error --retry-connrefused'
+ PYTHON=/usr/bin/python3
++ whoami
+  user == \a\m\n\e\s\i\a 
++ mktemp -d
+ tmpDir=/tmp/user/1000/tmp.Ufp7kYSLW5
+ pushd /tmp/user/1000/tmp.Ufp7kYSLW5
/tmp/user/1000/tmp.Ufp7kYSLW5 ~/QubesIncoming/buskill
+ /usr/bin/curl -s https://ifconfig.co/country
+ head -n1
...
+ /usr/bin/curl -s https://check.torproject.org
+ head -n1
+ grep Congratulations
      Congratulations. This browser is configured to use Tor.
+ date -u +%Y-%m-%d
2024-03-19
...
+ sha256sum altgraph-0.17.4-py2.py3-none-any.whl appimagetool-x86_64.AppImage certifi-2024.2.2-py3-none-any.whl charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl distlib-0.3.8-py2.py3-none-any.whl docutils-0.20.1-py3-none-any.whl filelock-3.13.1-py3-none-any.whl future-1.0.0-py3-none-any.whl idna-3.6-py3-none-any.whl Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl kivy_deps.angle-0.4.0-cp312-cp312-win_amd64.whl kivy_deps.glew-0.3.1-cp312-cp312-win_amd64.whl kivy_deps.sdl2-0.7.0-cp312-cp312-win_amd64.whl Kivy_Garden-0.1.5-py3-none-any.whl libusb-1.0.27.tar.bz2 libusb-1.0.27.tar.bz2.asc macholib-1.16.3-py2.py3-none-any.whl packaging-24.0-py3-none-any.whl pefile-2023.2.7-py3-none-any.whl pip-24.0-py3-none-any.whl platformdirs-4.2.0-py3-none-any.whl pygments-2.17.2-py3-none-any.whl pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl pypiwin32-223-py3-none-any.whl python-3.12.2-amd64.exe python-3.12.2-amd64.exe.asc python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage pywin32-306-cp312-cp312-win_amd64.whl pywin32_ctypes-0.2.2-py3-none-any.whl requests-2.31.0-py3-none-any.whl setuptools-69.1.1-py3-none-any.whl squashfs4.4.tar.gz urllib3-2.2.1-py3-none-any.whl virtualenv-20.25.1-py3-none-any.whl wheel-0.42.0-py3-none-any.whl
642743b4750de17e655e6711601b077bc6598dbfa3ba5fa2b2a35ce12b508dff  altgraph-0.17.4-py2.py3-none-any.whl
df3baf5ca5facbecfc2f3fa6713c29ab9cefa8fd8c1eac5d283b79cab33e4acb  appimagetool-x86_64.AppImage
dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1  certifi-2024.2.2-py3-none-any.whl
753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8  charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784  distlib-0.3.8-py2.py3-none-any.whl
96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6  docutils-0.20.1-py3-none-any.whl
57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c  filelock-3.13.1-py3-none-any.whl
929292d34f5872e70396626ef385ec22355a1fae8ad29e1a734c3e43f9fbc216  future-1.0.0-py3-none-any.whl
c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f  idna-3.6-py3-none-any.whl
7766baac2509d699df84b284579fa25ee31383d48893660cd8dba62081453a29  Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
d2c6a411e2d837684d91b46231dd12db74fb1db6a2628e9f27581ce1583e5c8a  Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl
668e670d4afd2551af0af2c627ceb0feac884bd799fb6a3dff78fdbfa2ea0451  kivy_deps.angle-0.4.0-cp312-cp312-win_amd64.whl
3acbbd30da05fc10c185b5d4bb75fbbc882a6ef2192963050c1c94d60a6e795a  kivy_deps.glew-0.3.1-cp312-cp312-win_amd64.whl
e56d5d651f81545c24f920f6f6e5d67b4100802152521022ccde53e822c507a2  kivy_deps.sdl2-0.7.0-cp312-cp312-win_amd64.whl
ef50f44b96358cf10ac5665f27a4751bb34ef54051c54b93af891f80afe42929  Kivy_Garden-0.1.5-py3-none-any.whl
ffaa41d741a8a3bee244ac8e54a72ea05bf2879663c098c82fc5757853441575  libusb-1.0.27.tar.bz2
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
0e315d7583d38b8c77e815b1ecbdbf504a8258d8b3e17b61165c6feb60d18f2c  macholib-1.16.3-py2.py3-none-any.whl
2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5  packaging-24.0-py3-none-any.whl
da185cd2af68c08a6cd4481f7325ed600a88f6a813bad9dea07ab3ef73d8d8d6  pefile-2023.2.7-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068  platformdirs-4.2.0-py3-none-any.whl
b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c  pygments-2.17.2-py3-none-any.whl
7c76bfcb624803c311fa8fb137e4780d0ec86d11b7d90a8f43f185e2554afdcc  pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl
6701752d525e1f4eda1eaec2c2affc206171e15c7a4e188a152fcf3ed3308024  pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl
67adf399debc1d5d14dffc1ab5acacb800da569754fafdc576b2a039485aa775  pypiwin32-223-py3-none-any.whl
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65  python-3.12.2-amd64.exe
c85b82d619e6afd1731ef77761f47bc11eaff4ad51566fe692a484abd2c9bc58  python-3.12.2-amd64.exe.asc
4310f4c6e6972dbb01162fcd2bd887e111ba095c84242844f185aec5fc7ed0bd  python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage
37257794c1ad39ee9be652da0462dc2e394c8159dfd913a8a4e8eb6fd346da0e  pywin32-306-cp312-cp312-win_amd64.whl
bf490a1a709baf35d688fe0ecf980ed4de11d2b3e37b51e5442587a75d9957e7  pywin32_ctypes-0.2.2-py3-none-any.whl
58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f  requests-2.31.0-py3-none-any.whl
02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56  setuptools-69.1.1-py3-none-any.whl
a981b3f3f2054b5a2e658851a3c06a2460ad04a9a8a645e0afe063a63fdbb07e  squashfs4.4.tar.gz
450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d  urllib3-2.2.1-py3-none-any.whl
961c026ac520bac5f69acb8ea063e8a4f071bcc9457b9c1f28f6b085c511583a  virtualenv-20.25.1-py3-none-any.whl
177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d  wheel-0.42.0-py3-none-any.whl
[workstation user ~/QubesIncoming/buskill]%

And python

Congratulations. This browser is configured to use Tor.
2024-03-19
<li><a class="reference external" href="https://keybase.io/stevedower/">Steve Dower (Windows binaries)</a> (key id: <a class="reference external" href="https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5">FC62 4643 4870 34E5</a>)</li>
7ed10b6531d7c8e1bc296021fc624643487034e5
gpg: key 0xFC624643487034E5: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
--2024-03-19 01:08:50--  https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5
Resolving keybase.io (keybase.io)... 54.147.197.174
Connecting to keybase.io (keybase.io)|54.147.197.174|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3182 (3.1K) [text/plain]
Saving to: ‘pubkey.asc’

pubkey.asc          100%[===================>]   3.11K  --.-KB/s    in 0s      

2024-03-19 01:08:53 (78.2 MB/s) - ‘pubkey.asc’ saved [3182/3182]

gpg: key 0xFC624643487034E5: public key "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Tue Mar 19 01:08:53 AM UTC 2024
6540096672a54a25e30f37e8700b98a94ba79b047b96a38df91db798f94a38e9  pubkey.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0xFC624643487034E5 2015-04-06 [SC]
      Key fingerprint = 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5
uid                             Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/0xE314D10907F87583 2015-04-06 [E]
/home/user/.gnupg/pubring.kbx
--------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

user@host:/tmp/user/1000/tmp.Ru5lKa9bfC$

And libusb

Congratulations. This browser is configured to use Tor.
2024-03-19
--2024-03-19 01:07:51--  https://github.com/libusb/libusb/releases/download/v1.0.27/libusb-1.0.27.tar.bz2.asc
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240319%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240319T010754Z&X-Amz-Expires=300&X-Amz-Signature=4cdc86d75e9ad3bb95cc9ed131a2e151e10fca8d554fd57696ea06870cf5293f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream [following]
--2024-03-19 01:07:54--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240319%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240319T010754Z&X-Amz-Expires=300&X-Amz-Signature=4cdc86d75e9ad3bb95cc9ed131a2e151e10fca8d554fd57696ea06870cf5293f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [application/octet-stream]
Saving to: ‘libusb-1.0.27.tar.bz2.asc’

libusb-1.0.27.tar.b 100%[===================>]     833  --.-KB/s    in 0s      

2024-03-19 01:07:57 (150 MB/s) - ‘libusb-1.0.27.tar.bz2.asc’ saved [833/833]

Tue Mar 19 01:07:57 AM UTC 2024
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid AA0639079EFB61B9
    version 4, created 1706739331, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 84 5a
    hashed subpkt 33 len 21 (issuer fpr v4 9C7EA94939C69C4FBC3DBFA8AA0639079EFB61B9)
    hashed subpkt 2 len 4 (sig created 2024-01-31)
    subpkt 16 len 8 (issuer key ID AA0639079EFB61B9)
    data: [4093 bits]
user@host:/tmp/user/1000/tmp.qTPNmMP0DU$ 
Congratulations. This browser is configured to use Tor.
2024-03-19
<dl id="pgp-keys"> <dt>OpenPGP keys: </dt> <dd> <span style="word-wrap: anywhere">2C2E77AB60515D499CA488EFA32D8476BAF41D0C</span><span>,</span> <span style="word-wrap: anywhere">32EAC3AA2932F7F152850C2A0ECA153961EC0EEC</span><span>,</span> <span style="word-wrap: anywhere">C68187379B23DE9EFC46651E2C80FF56C6830A0E</span> </dd> </dl>
2C2E77AB60515D499CA488EFA32D8476BAF41D0C 32EAC3AA2932F7F152850C2A0ECA153961EC0EEC C68187379B23DE9EFC46651E2C80FF56C6830A0E
gpg: key 0xA32D8476BAF41D0C: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 0x0ECA153961EC0EEC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 0x2C80FF56C6830A0E: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
Tue Mar 19 01:10:37 AM UTC 2024
sha256sum: '*': No such file or directory
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open '*'
/home/user/.gnupg/pubring.kbx
--------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

user@host:/tmp/user/1000/tmp.NLvYW4sIUs$
maltfield commented 6 months ago

Here's TOFU 2/3 (VPN, exit in Bulgaria) of the download.sh script, using Python 3.11 in Whonix 17 (based on Debian 12)

Bulgaria
+ /usr/bin/curl -s https://check.torproject.org
+ head -n1
+ grep Congratulations
+ date -u +%Y-%m-%d
2024-03-20
...
+ sha256sum altgraph-0.17.4-py2.py3-none-any.whl appimagetool-x86_64.AppImage certifi-2024.2.2-py3-none-any.whl charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl distlib-0.3.8-py2.py3-none-any.whl docutils-0.20.1-py3-none-any.whl filelock-3.13.1-py3-none-any.whl future-1.0.0-py3-none-any.whl idna-3.6-py3-none-any.whl Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl kivy_deps.angle-0.4.0-cp312-cp312-win_amd64.whl kivy_deps.glew-0.3.1-cp312-cp312-win_amd64.whl kivy_deps.sdl2-0.7.0-cp312-cp312-win_amd64.whl Kivy_Garden-0.1.5-py3-none-any.whl libusb-1.0.27.tar.bz2 libusb-1.0.27.tar.bz2.asc macholib-1.16.3-py2.py3-none-any.whl packaging-24.0-py3-none-any.whl pefile-2023.2.7-py3-none-any.whl pip-24.0-py3-none-any.whl platformdirs-4.2.0-py3-none-any.whl pygments-2.17.2-py3-none-any.whl pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl pypiwin32-223-py3-none-any.whl python-3.12.2-amd64.exe python-3.12.2-amd64.exe.asc python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage pywin32-306-cp312-cp312-win_amd64.whl pywin32_ctypes-0.2.2-py3-none-any.whl requests-2.31.0-py3-none-any.whl setuptools-69.1.1-py3-none-any.whl squashfs4.4.tar.gz urllib3-2.2.1-py3-none-any.whl virtualenv-20.25.1-py3-none-any.whl wheel-0.42.0-py3-none-any.whl
642743b4750de17e655e6711601b077bc6598dbfa3ba5fa2b2a35ce12b508dff  altgraph-0.17.4-py2.py3-none-any.whl
df3baf5ca5facbecfc2f3fa6713c29ab9cefa8fd8c1eac5d283b79cab33e4acb  appimagetool-x86_64.AppImage
dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1  certifi-2024.2.2-py3-none-any.whl
753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8  charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784  distlib-0.3.8-py2.py3-none-any.whl
96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6  docutils-0.20.1-py3-none-any.whl
57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c  filelock-3.13.1-py3-none-any.whl
929292d34f5872e70396626ef385ec22355a1fae8ad29e1a734c3e43f9fbc216  future-1.0.0-py3-none-any.whl
c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f  idna-3.6-py3-none-any.whl
7766baac2509d699df84b284579fa25ee31383d48893660cd8dba62081453a29  Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
d2c6a411e2d837684d91b46231dd12db74fb1db6a2628e9f27581ce1583e5c8a  Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl
668e670d4afd2551af0af2c627ceb0feac884bd799fb6a3dff78fdbfa2ea0451  kivy_deps.angle-0.4.0-cp312-cp312-win_amd64.whl
3acbbd30da05fc10c185b5d4bb75fbbc882a6ef2192963050c1c94d60a6e795a  kivy_deps.glew-0.3.1-cp312-cp312-win_amd64.whl
e56d5d651f81545c24f920f6f6e5d67b4100802152521022ccde53e822c507a2  kivy_deps.sdl2-0.7.0-cp312-cp312-win_amd64.whl
ef50f44b96358cf10ac5665f27a4751bb34ef54051c54b93af891f80afe42929  Kivy_Garden-0.1.5-py3-none-any.whl
ffaa41d741a8a3bee244ac8e54a72ea05bf2879663c098c82fc5757853441575  libusb-1.0.27.tar.bz2
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
0e315d7583d38b8c77e815b1ecbdbf504a8258d8b3e17b61165c6feb60d18f2c  macholib-1.16.3-py2.py3-none-any.whl
2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5  packaging-24.0-py3-none-any.whl
da185cd2af68c08a6cd4481f7325ed600a88f6a813bad9dea07ab3ef73d8d8d6  pefile-2023.2.7-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068  platformdirs-4.2.0-py3-none-any.whl
b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c  pygments-2.17.2-py3-none-any.whl
7c76bfcb624803c311fa8fb137e4780d0ec86d11b7d90a8f43f185e2554afdcc  pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl
6701752d525e1f4eda1eaec2c2affc206171e15c7a4e188a152fcf3ed3308024  pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl
67adf399debc1d5d14dffc1ab5acacb800da569754fafdc576b2a039485aa775  pypiwin32-223-py3-none-any.whl
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65  python-3.12.2-amd64.exe
c85b82d619e6afd1731ef77761f47bc11eaff4ad51566fe692a484abd2c9bc58  python-3.12.2-amd64.exe.asc
4310f4c6e6972dbb01162fcd2bd887e111ba095c84242844f185aec5fc7ed0bd  python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage
37257794c1ad39ee9be652da0462dc2e394c8159dfd913a8a4e8eb6fd346da0e  pywin32-306-cp312-cp312-win_amd64.whl
bf490a1a709baf35d688fe0ecf980ed4de11d2b3e37b51e5442587a75d9957e7  pywin32_ctypes-0.2.2-py3-none-any.whl
58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f  requests-2.31.0-py3-none-any.whl
02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56  setuptools-69.1.1-py3-none-any.whl
a981b3f3f2054b5a2e658851a3c06a2460ad04a9a8a645e0afe063a63fdbb07e  squashfs4.4.tar.gz
450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d  urllib3-2.2.1-py3-none-any.whl
961c026ac520bac5f69acb8ea063e8a4f071bcc9457b9c1f28f6b085c511583a  virtualenv-20.25.1-py3-none-any.whl
177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d  wheel-0.42.0-py3-none-any.whl

And python

Bulgaria
2024-03-20
<li><a class="reference external" href="https://keybase.io/stevedower/">Steve Dower (Windows binaries)</a> (key id: <a class="reference external" href="https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5">FC62 4643 4870 34E5</a>)</li>
7ed10b6531d7c8e1bc296021fc624643487034e5
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: key FC624643487034E5: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
--2024-03-19 19:31:22--  https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5
Resolving keybase.io (keybase.io)... 52.73.125.135, 54.147.197.174
Connecting to keybase.io (keybase.io)|52.73.125.135|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3182 (3.1K) [text/plain]
Saving to: ‘pubkey.asc’

pubkey.asc          100%[===================>]   3.11K  --.-KB/s    in 0s      

2024-03-19 19:31:24 (88.2 MB/s) - ‘pubkey.asc’ saved [3182/3182]

gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key FC624643487034E5: public key "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Wed Mar 20 12:31:24 AM UTC 2024
6540096672a54a25e30f37e8700b98a94ba79b047b96a38df91db798f94a38e9  pubkey.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0xFC624643487034E5 2015-04-06 [SC]
      Key fingerprint = 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5
uid                             Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/0xE314D10907F87583 2015-04-06 [E]
/home/user/.gnupg/pubring.kbx
--------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

And libusb

Bulgaria
2024-03-20
--2024-03-19 19:31:53--  https://github.com/libusb/libusb/releases/download/v1.0.27/libusb-1.0.27.tar.bz2.asc
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240320%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240320T003154Z&X-Amz-Expires=300&X-Amz-Signature=5e2470b43f162a61f6d80de8a942bf3645d37d364094f44a22eecdd2271ecc98&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream [following]
--2024-03-19 19:31:54--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/15120676/418d3d4b-c9a4-46c7-9088-849a47a12c0b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240320%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240320T003154Z&X-Amz-Expires=300&X-Amz-Signature=5e2470b43f162a61f6d80de8a942bf3645d37d364094f44a22eecdd2271ecc98&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=15120676&response-content-disposition=attachment%3B%20filename%3Dlibusb-1.0.27.tar.bz2.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [application/octet-stream]
Saving to: ‘libusb-1.0.27.tar.bz2.asc’

libusb-1.0.27.tar.b 100%[===================>]     833  --.-KB/s    in 0s      

2024-03-19 19:31:56 (30.9 MB/s) - ‘libusb-1.0.27.tar.bz2.asc’ saved [833/833]

Wed Mar 20 12:31:56 AM UTC 2024
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid AA0639079EFB61B9
    version 4, created 1706739331, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 84 5a
    hashed subpkt 33 len 21 (issuer fpr v4 9C7EA94939C69C4FBC3DBFA8AA0639079EFB61B9)
    hashed subpkt 2 len 4 (sig created 2024-01-31)
    subpkt 16 len 8 (issuer key ID AA0639079EFB61B9)
    data: [4093 bits]
Bulgaria
2024-03-20
<dl id="pgp-keys"> <dt>OpenPGP keys: </dt> <dd> <span style="word-wrap: anywhere">2C2E77AB60515D499CA488EFA32D8476BAF41D0C</span><span>,</span> <span style="word-wrap: anywhere">32EAC3AA2932F7F152850C2A0ECA153961EC0EEC</span><span>,</span> <span style="word-wrap: anywhere">C68187379B23DE9EFC46651E2C80FF56C6830A0E</span> </dd> </dl>
2C2E77AB60515D499CA488EFA32D8476BAF41D0C 32EAC3AA2932F7F152850C2A0ECA153961EC0EEC C68187379B23DE9EFC46651E2C80FF56C6830A0E
gpg: key A32D8476BAF41D0C: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 0ECA153961EC0EEC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 2C80FF56C6830A0E: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
Wed Mar 20 12:51:34 AM UTC 2024
sha256sum: '*': No such file or directory
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open '*'
/home/user/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]
maltfield commented 6 months ago

Here's TOFU 3/3 (ISP, exit in Ecuador) of the download.sh script, using Python 3.11 in Debian 12

Ecuador
+ head -n1
+ /usr/bin/curl -s https://check.torproject.org
+ grep Congratulations
+ date -u +%Y-%m-%d
2024-03-21
...
+ sha256sum altgraph-0.17.4-py2.py3-none-any.whl appimagetool-x86_64.AppImage certifi-2024.2.2-py3-none-any.whl charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl distlib-0.3.8-py2.py3-none-any.whl docutils-0.20.1-py3-none-any.whl filelock-3.13.1-py3-none-any.whl future-1.0.0-py3-none-any.whl idna-3.6-py3-none-any.whl Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl kivy_deps.angle-0.4.0-cp312-cp312-win_amd64.whl kivy_deps.glew-0.3.1-cp312-cp312-win_amd64.whl kivy_deps.sdl2-0.7.0-cp312-cp312-win_amd64.whl Kivy_Garden-0.1.5-py3-none-any.whl libusb-1.0.27.tar.bz2 libusb-1.0.27.tar.bz2.asc macholib-1.16.3-py2.py3-none-any.whl packaging-24.0-py3-none-any.whl pefile-2023.2.7-py3-none-any.whl pip-24.0-py3-none-any.whl platformdirs-4.2.0-py3-none-any.whl pygments-2.17.2-py3-none-any.whl pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl pypiwin32-223-py3-none-any.whl python-3.12.2-amd64.exe python-3.12.2-amd64.exe.asc python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage pywin32-306-cp312-cp312-win_amd64.whl pywin32_ctypes-0.2.2-py3-none-any.whl requests-2.31.0-py3-none-any.whl setuptools-69.1.1-py3-none-any.whl squashfs4.4.tar.gz urllib3-2.2.1-py3-none-any.whl virtualenv-20.25.1-py3-none-any.whl wheel-0.42.0-py3-none-any.whl
642743b4750de17e655e6711601b077bc6598dbfa3ba5fa2b2a35ce12b508dff  altgraph-0.17.4-py2.py3-none-any.whl
df3baf5ca5facbecfc2f3fa6713c29ab9cefa8fd8c1eac5d283b79cab33e4acb  appimagetool-x86_64.AppImage
dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1  certifi-2024.2.2-py3-none-any.whl
753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8  charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784  distlib-0.3.8-py2.py3-none-any.whl
96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6  docutils-0.20.1-py3-none-any.whl
57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c  filelock-3.13.1-py3-none-any.whl
929292d34f5872e70396626ef385ec22355a1fae8ad29e1a734c3e43f9fbc216  future-1.0.0-py3-none-any.whl
c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f  idna-3.6-py3-none-any.whl
7766baac2509d699df84b284579fa25ee31383d48893660cd8dba62081453a29  Kivy-2.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
d2c6a411e2d837684d91b46231dd12db74fb1db6a2628e9f27581ce1583e5c8a  Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl
668e670d4afd2551af0af2c627ceb0feac884bd799fb6a3dff78fdbfa2ea0451  kivy_deps.angle-0.4.0-cp312-cp312-win_amd64.whl
3acbbd30da05fc10c185b5d4bb75fbbc882a6ef2192963050c1c94d60a6e795a  kivy_deps.glew-0.3.1-cp312-cp312-win_amd64.whl
e56d5d651f81545c24f920f6f6e5d67b4100802152521022ccde53e822c507a2  kivy_deps.sdl2-0.7.0-cp312-cp312-win_amd64.whl
ef50f44b96358cf10ac5665f27a4751bb34ef54051c54b93af891f80afe42929  Kivy_Garden-0.1.5-py3-none-any.whl
ffaa41d741a8a3bee244ac8e54a72ea05bf2879663c098c82fc5757853441575  libusb-1.0.27.tar.bz2
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
0e315d7583d38b8c77e815b1ecbdbf504a8258d8b3e17b61165c6feb60d18f2c  macholib-1.16.3-py2.py3-none-any.whl
2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5  packaging-24.0-py3-none-any.whl
da185cd2af68c08a6cd4481f7325ed600a88f6a813bad9dea07ab3ef73d8d8d6  pefile-2023.2.7-py3-none-any.whl
ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc  pip-24.0-py3-none-any.whl
0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068  platformdirs-4.2.0-py3-none-any.whl
b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c  pygments-2.17.2-py3-none-any.whl
7c76bfcb624803c311fa8fb137e4780d0ec86d11b7d90a8f43f185e2554afdcc  pyinstaller-6.5.0-py3-none-manylinux2014_x86_64.whl
6701752d525e1f4eda1eaec2c2affc206171e15c7a4e188a152fcf3ed3308024  pyinstaller_hooks_contrib-2024.3-py2.py3-none-any.whl
67adf399debc1d5d14dffc1ab5acacb800da569754fafdc576b2a039485aa775  pypiwin32-223-py3-none-any.whl
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65  python-3.12.2-amd64.exe
c85b82d619e6afd1731ef77761f47bc11eaff4ad51566fe692a484abd2c9bc58  python-3.12.2-amd64.exe.asc
4310f4c6e6972dbb01162fcd2bd887e111ba095c84242844f185aec5fc7ed0bd  python3.12.2-cp312-cp312-manylinux2014_x86_64.AppImage
37257794c1ad39ee9be652da0462dc2e394c8159dfd913a8a4e8eb6fd346da0e  pywin32-306-cp312-cp312-win_amd64.whl
bf490a1a709baf35d688fe0ecf980ed4de11d2b3e37b51e5442587a75d9957e7  pywin32_ctypes-0.2.2-py3-none-any.whl
58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f  requests-2.31.0-py3-none-any.whl
02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56  setuptools-69.1.1-py3-none-any.whl
a981b3f3f2054b5a2e658851a3c06a2460ad04a9a8a645e0afe063a63fdbb07e  squashfs4.4.tar.gz
450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d  urllib3-2.2.1-py3-none-any.whl
961c026ac520bac5f69acb8ea063e8a4f071bcc9457b9c1f28f6b085c511583a  virtualenv-20.25.1-py3-none-any.whl
177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d  wheel-0.42.0-py3-none-any.whl
user@disp5930:~/QubesIncoming/buskill$

And python

Ecuador
2024-03-21
<li><a class="reference external" href="https://keybase.io/stevedower/">Steve Dower (Windows binaries)</a> (key id: <a class="reference external" href="https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5">FC62 4643 4870 34E5</a>)</li>
7ed10b6531d7c8e1bc296021fc624643487034e5
gpg: key FC624643487034E5: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
...
Resolving keybase.io (keybase.io)... 52.73.125.135, 54.147.197.174
Connecting to keybase.io (keybase.io)|52.73.125.135|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3182 (3.1K) [text/plain]
Saving to: ‘pubkey.asc’
...
gpg: key FC624643487034E5: public key "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Thu Mar 21 OBFUSCATED UTC 2024
6540096672a54a25e30f37e8700b98a94ba79b047b96a38df91db798f94a38e9  pubkey.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096/0xFC624643487034E5 2015-04-06 [SC]
      Key fingerprint = 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5
uid                             Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/0xE314D10907F87583 2015-04-06 [E]
/home/user/.gnupg/pubring.kbx
--------------------
pub   rsa4096/FC624643487034E5 2015-04-06 [SC]
      7ED10B6531D7C8E1BC296021FC624643487034E5
uid                 [ unknown] Steve Dower (Python Release Signing) <steve.dower@microsoft.com>
sub   rsa4096/E314D10907F87583 2015-04-06 [E]

And libusb

Ecuador
2024-03-21
...
Resolving github.com (github.com)... 140.82.114.3
Connecting to github.com (github.com)|140.82.114.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
...
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [application/octet-stream]
Saving to: ‘libusb-1.0.27.tar.bz2.asc’
...
Thu Mar 21 OBFUSCATED PM UTC 2024
1cd22bbfe4ce382ca9b091e2a6275c48f1c776253815cbb615da295ae0bfe687  libusb-1.0.27.tar.bz2.asc
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid AA0639079EFB61B9
    version 4, created 1706739331, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 84 5a
    hashed subpkt 33 len 21 (issuer fpr v4 9C7EA94939C69C4FBC3DBFA8AA0639079EFB61B9)
    hashed subpkt 2 len 4 (sig created 2024-01-31)
    subpkt 16 len 8 (issuer key ID AA0639079EFB61B9)
    data: [4093 bits]
user@disp5930:/tmp/tmp.3TOYfcrpe0$ 

Ecuador
2024-03-21
<dl id="pgp-keys"> <dt>OpenPGP keys: </dt> <dd> <span style="word-wrap: anywhere">2C2E77AB60515D499CA488EFA32D8476BAF41D0C</span><span>,</span> <span style="word-wrap: anywhere">32EAC3AA2932F7F152850C2A0ECA153961EC0EEC</span><span>,</span> <span style="word-wrap: anywhere">C68187379B23DE9EFC46651E2C80FF56C6830A0E</span> </dd> </dl>
2C2E77AB60515D499CA488EFA32D8476BAF41D0C 32EAC3AA2932F7F152850C2A0ECA153961EC0EEC C68187379B23DE9EFC46651E2C80FF56C6830A0E
gpg: key A32D8476BAF41D0C: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 0ECA153961EC0EEC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: key 2C80FF56C6830A0E: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
Thu Mar 21 OBFUSCATED PM UTC 2024
sha256sum: '*': No such file or directory
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open '*'
user@disp5930:/tmp/tmp.IZQG1VK6Du$
maltfield commented 6 months ago

Cool, the file checksums match on all 3x TOFUs from download.sh.

In all 3x TOFUs, we got the fingerprint 7ed10b6531d7c8e1bc296021fc624643487034e5 from python.com/download and a matching fingerprint 7ED1 0B65 31D7 C8E1 BC29 6021 FC62 4643 4870 34E5 from Steve Dower's keybase website.

In all 3x TOFUs, the libusb v1.0.27 detached signature was signed with a key with fingerprint = AA0639079EFB61B9. It looks like in all 3 cases I've failed to download the actual public key, but in all 3x cases the public keys listed on the dev's launchpad.net page matched:

  1. C68187379B23DE9EFC46651E2C80FF56C6830A0E
  2. 32EAC3AA2932F7F152850C2A0ECA153961EC0EEC
  3. C68187379B23DE9EFC46651E2C80FF56C6830A0E

Unfortunately none of them match the short fingerprint from the release, so I contacted the developer about this:

maltfield commented 6 months ago

Fuck, I just realized that by updating the docker image name without updating the keys in our repo, I made future builds vulnerable. God damn it docker.

To fix this I'll have to do 3TOFU on the files in build/deps/docker.io/

I also put a comment above the image name in the build script to make it clear that this should be done to avoid adding a vulnerability to the builds.

https://github.com/BusKill/buskill-app/blob/7ddd7662e2f542749cb89a720ffdd76800d40e3a/build/linux/debianWrapper.sh#L21-L25

maltfield commented 6 months ago

Actually, disregard my last comment. Because both images are published by the same group (debian), the same key is used to sign both debian:buster-slim and debian:bookworm-slim.

I verified this by launching two fresh VMs and installed debian:buster-slim on one VM and debian:bookworm-slim on another.

root@disp5388:~# docker image ls
REPOSITORY   TAG           IMAGE ID       CREATED       SIZE
debian       buster-slim   0b031cf4038f   10 days ago   69.3MB
root@disp5388:~# 

root@disp5388:~# find /root/.docker/ -name root.json || find /root/.docker/
/root/.docker/trust/tuf/docker.io/library/debian/metadata/root.json
root@disp5388:~# 

root@disp5388:~# sha256sum /root/.docker/trust/tuf/docker.io/library/debian/metadata/root.json
930192c85b0ed4698c583bdddefbd1200ee9ce09267334b6915b07fdf7df2c46  /root/.docker/trust/tuf/docker.io/library/debian/metadata/root.json
root@disp5388:~# 
root@disp4016:~# docker image ls
REPOSITORY   TAG             IMAGE ID       CREATED       SIZE
debian       bookworm-slim   dd8416105e9e   10 days ago   74.8MB
root@disp4016:~# 

root@disp4016:~# find /root/.docker/ -name root.json || find /root/.docker/
/root/.docker/trust/tuf/docker.io/library/debian/metadata/root.json
root@disp4016:~# 

root@disp4016:~# sha256sum /root/.docker/trust/tuf/docker.io/library/debian/metadata/root.json
930192c85b0ed4698c583bdddefbd1200ee9ce09267334b6915b07fdf7df2c46  /root/.docker/trust/tuf/docker.io/library/debian/metadata/root.json
root@disp4016:~#
maltfield commented 6 months ago

I already 3TOFU'd both the key and the file, but I went ahead and verified the authenticity of the python 3.12 window installer with gpg

user@buskill:~/sandbox/buskill-app-deps/build/deps$ sha256sum python-3.12.2-amd64.exe*
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65  python-3.12.2-amd64.exe
c85b82d619e6afd1731ef77761f47bc11eaff4ad51566fe692a484abd2c9bc58  python-3.12.2-amd64.exe.asc
user@buskill:~/sandbox/buskill-app-deps/build/deps$ 

user@buskill:~/sandbox/buskill-app-deps/build/deps$ gpg --import python-windows.asc 
gpg: key FC624643487034E5: public key "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

user@buskill:~/sandbox/buskill-app-deps/build/deps$ 

user@buskill:~/sandbox/buskill-app-deps/build/deps$ gpg --verify python-3.12.2-amd64.exe.asc 
gpg: assuming signed data in 'python-3.12.2-amd64.exe'
gpg: Signature made Tue 06 Feb 2024 05:41:09 PM -05
gpg:                using RSA key FC624643487034E5
gpg: Good signature from "Steve Dower (Python Release Signing) <steve.dower@microsoft.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5
user@buskill:~/sandbox/buskill-app-deps/build/deps$
maltfield commented 6 months ago

I added all these new dependencies, along with a SHA256SUMS file and also a SHA256SUMS.asc file, which is signed with the buskill release key to the new buskill-app-depends repo

I've started updating the build scripts to checkout this repo, verify the signature on the SHA256SUMS file, verify the integrity of all the files listed in the SHA256SUMS file, and -- finally -- copy just the files that are listed in the SHA256SUMS file into our buskill-app repo's build/deps/ directory

maltfield commented 6 months ago

Unfortunately my local windows VM is choking because it doesn't have a gpgv binary. I don't see anything in the build/deps/ dir for installing GPG (just an exe for python), so I guess this is pre-installed on our GitHub runners.

It looks like the official website https://gnupg.org/ links to https://gpg4win.org/ for the official windows releases. According to the official website, those releases are signed with "one or more" of the GPG keys listed on this page:

Those public keys can be downloaded directly here:

TODO: 3TOFU the above file and add it to our main buskill-app repo's build/deps/ dir -- that way I can use it to safely install GPG4Win (and the gpg and gpgv commands) onto my local, ephemeral Windows build systems

maltfield commented 6 months ago

Ugh, MacOS builds are still broken.

Apparently the issue is that we're using the version of python that comes with our GitHub runner. That version keeps bumping-up, but I guess at least one of our depends (Kivy-11.1) doesn't work with the latest version of python.

I guess because I couldn't figure out how to download the damn brew dependencies, I figured I'd stick to Python 3.7 on MacOS for now, so I changed download.sh from

${WGET} `${CURL} -s https://pypi.org/simple/kivy/ | grep -oE 'https://.*Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl#'`

to

${WGET} `${CURL} -s https://pypi.org/simple/kivy/ | grep -oE 'https://.*Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl#'`

So apparently I expected that, since we can't update the Python version, it would be Kivy 1.11.1 upgraded to Kivy 2.3.0, but the python version cp37 would stay the same. Well, apparently we're building with python 3.11 anyway, so I'm still getting errors on the build about this

2024-03-22T18:35:20.0671400Z + /usr/local/Cellar/python@3.11/3.11.7_1/Frameworks/Python.framework/Versions/3.11/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/runner/work/buskill-app/buskill-app/build/deps/ build/deps/Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl
2024-03-22T18:35:20.6498540Z Looking in links: file:///Users/runner/work/buskill-app/buskill-app/build/deps/
2024-03-22T18:35:20.6705950Z ERROR: Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl is not a supported wheel on this platform.
maltfield commented 6 months ago

When I run this command on my MacMini build machine, it works fine. But of course there it's using python 3.7

maltfield@host buskill-app % /usr/local/Cellar/python/3.7.8/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/maltfield/sandbox/buskill-app/build/deps/ build/deps/Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl
DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
Looking in links: file:///Users/maltfield/sandbox/buskill-app/build/deps/
Processing ./build/deps/Kivy-1.11.1-cp37-cp37m-macosx_10_6_intel.macosx_10_9_intel.macosx_10_9_x86_64.macosx_10_10_intel.macosx_10_10_x86_64.whl
Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==1.11.1)
Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==1.11.1)
Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==1.11.1)
Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==1.11.1)
INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==1.11.1)
Processing ./build/deps/chardet-3.0.4-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==1.11.1)
Processing ./build/deps/idna-2.10-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==1.11.1)
Processing ./build/deps/urllib3-1.25.9-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==1.11.1)
Processing ./build/deps/certifi-2024.2.2-py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==1.11.1)
WARNING: Ignoring invalid distribution -yinstaller (/Users/maltfield/Library/Python/3.7/lib/python/site-packages)
Installing collected packages: chardet, urllib3, pygments, idna, docutils, certifi, requests, Kivy-Garden, Kivy
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
Successfully installed Kivy-1.11.1 Kivy-Garden-0.1.5 certifi-2024.2.2 chardet-3.0.4 docutils-0.16 idna-2.10 pygments-2.17.2 requests-2.24.0 urllib3-1.25.9
maltfield@host buskill-app %

If I try the updated version of Kivy for python 3.7 (that we just got in the 3TOFU above), it installs without errors, but -- wtf -- it says it installed the old version??

maltfield@host buskill-app % /usr/local/Cellar/python/3.7.8/bin/pip3 install --ignore-installed --upgrade --cache-dir build/deps/ --no-index --find-links file:///Users/maltfield/sandbox/buskill-app/build/deps/ build/deps/Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl
DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
Looking in links: file:///Users/maltfield/sandbox/buskill-app/build/deps/
Processing ./build/deps/Kivy-2.3.0-cp37-cp37m-macosx_10_9_x86_64.whl
Processing ./build/deps/Kivy_Garden-0.1.5-py3-none-any.whl (from Kivy==2.3.0)
Processing ./build/deps/docutils-0.20.1-py3-none-any.whl (from Kivy==2.3.0)
Processing ./build/deps/pygments-2.17.2-py3-none-any.whl (from Kivy==2.3.0)
Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
INFO: pip is looking at multiple versions of requests to determine which version is compatible with other requirements. This could take a while.
Processing ./build/deps/requests-2.24.0-py2.py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0)
Processing ./build/deps/chardet-3.0.4-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
Processing ./build/deps/idna-2.10-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
Processing ./build/deps/urllib3-1.25.9-py2.py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
Processing ./build/deps/certifi-2024.2.2-py3-none-any.whl (from requests->Kivy-Garden>=0.1.4->Kivy==2.3.0)
WARNING: Ignoring invalid distribution -yinstaller (/Users/maltfield/Library/Python/3.7/lib/python/site-packages)
Installing collected packages: chardet, urllib3, pygments, idna, docutils, certifi, requests, Kivy-Garden, Kivy
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
  DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
Successfully installed Kivy-1.11.1 Kivy-Garden-0.1.5 certifi-2024.2.2 chardet-3.0.4 docutils-0.16 idna-2.10 pygments-2.17.2 requests-2.24.0 urllib3-1.25.9
maltfield@host buskill-app %

maltfield@host buskill-app % /usr/local/Cellar/python/3.7.8/bin/pip3 list                       WARNING: Ignoring invalid distribution -yinstaller (/Users/maltfield/Library/Python/3.7/lib/python/site-packages)
Package                   Version
------------------------- ----------
altgraph                  0.17.2
appdirs                   1.4.4
buildozer                 1.2.0.dev0
certifi                   2024.2.2
chardet                   3.0.4
Cython                    0.29.10
distlib                   0.3.1
docutils                  0.16
filelock                  3.0.12
idna                      2.10
importlib-metadata        1.7.0
Kivy                      1.11.1
Kivy-Garden               0.1.5
libusb1                   1.8
macholib                  1.14
pip                       20.0.2
Pygments                  2.17.2
PyInstaller               3.6
pyinstaller-hooks-contrib 2021.4
python-gnupg              0.4.6
requests                  2.24.0
setuptools                46.0.0
six                       1.15.0
urllib3                   1.25.9
virtualenv                20.0.25
wheel                     0.34.2
zipp                      3.1.0
maltfield@host buskill-app %

I'm not sure if the scary DEPRECATION warnings are related, but apparently the discussion it mentions says that the solution is to upgrade from Python 3.9 to 3.10 (we're on 3.7 here with no clear way how to download the brew bottle/binary for anything else since they migrated to GitHub Package's container registry)