Release process: can't create tag

[humitos]

I'm not sure why I can't create tags. It seems it's calling gpg for some reason and I don't have it set it up.

$ git tag -s 2.1.0rc2   
error: gpg failed to sign the data:
gpg: skipped "Manuel Kaufmann <humitos@gmail.com>": No secret key
[GNUPG:] INV_SGNR 9 Manuel Kaufmann <humitos@gmail.com>
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key

error: unable to sign the tag
The tag message has been left in .git/TAG_EDITMSG

We need to create 2.1.0rc1 and 2.1.0rc2.

[agjohnson]

I'd check your local configuration as this should not be configuration at the repo level.

In the past, we did sign packages with GPG. Since PyPI dropped this support, we stopped this though. The key used would have been the security@readthedocs.org GPG key, not your private key. I'm guessing your Git configuration is old and still referencing tag/commit signing.

[agjohnson]

Specifically, do you have this in your local .git/config?

[commit]
    gpgsign = true

[humitos]

In the past, we did sign packages with GPG. Since PyPI dropped this support, we stopped this though

I understand this is not related with PyPI, but with Git itself since we are passing -s to sign the tag creation.

The key used would have been the security@readthedocs.org GPG key, not your private key

I was able to perform the PyPI signing without issues.

---

I opened #1596 to remove the -s which is what's causing the issue.

[webknjaz]

I was able to perform the PyPI signing without issues.

@humitos I don't think so. It stopped accepting PGP signature uploads a while ago: https://discuss.python.org/t/gpg-signature-support-removed-from-pypi/27014 / https://blog.pypi.org/posts/2023-05-23-removing-pgp/.

Though, there's a new PEP 740 digital attestations feature upcoming that you can enable already and wait until the related bits and pieces start showing up on PyPI: https://github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations.