Source and binary executables of Python versions up to 3.13 (inclusive) are signed by the release manager or binary builder using their OpenPGP key. Python 3.14 and up uses Sigstore signing exclusively.

Signatures for currently supported releases

• Thomas Wouters (3.12.x and 3.13.x source files and tags) (key id: A821E680E5FA6305)
• Pablo Galindo Salgado (3.10.x and 3.11.x source files and tags) (key id: 64E628F8D684696D)
• Steve Dower (Windows binaries) (key id: FC62 4643 4870 34E5)
• Łukasz Langa (3.8.x and 3.9.x source files and tags) (key id: B269 95E3 1025 0568)
• Ned Deily (macOS binaries, 3.7.x / 3.6.x source files and tags) (key ids: 2D34 7EA6 AA65 421D and FB99 2128 6F5E 1540

Signatures for end-of-life releases

• Anthony Baxter (key id: 0EDD C5F2 6A45 C816)
• Georg Brandl (key id: 0A5B 1018 3658 0288)
• Martin v. Löwis (key id: 6AF0 53F0 7D9D C8D2)
• Ronald Oussoren (key id: C9BE 28DE E6DF 025C)
• Barry Warsaw (key ids: 126E B563 A74B 06BF, D986 6941 EA5B BD71, and ED9D77D5)
• Larry Hastings (3.5.x source files and tags) (key id: 3A5C A953 F73C 700D)
• Benjamin Peterson (2.7.z source files and tags) (key id: 04C3 67C2 18AD D4FF and A4135B38)

Verifying a release

You can import a person's public keys from a public keyserver network server you trust by running a command like:

gpg --recv-keys [key id]

or, in many cases, public keys can also be found at keybase.io. On the version-specific download pages, you should see a link to both the downloadable file and a detached signature file. To verify the authenticity of the download, grab both files and then run this command:

gpg --verify Python-3.6.2.tgz.asc

Note that you must use the name of the signature file, and you should use the one that's appropriate to the download you're verifying.

(These instructions are geared to GnuPG and Unix command-line users.)