New submission from Thomas Jollans <t...@tjol.eu>:
The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/) This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints. Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html These are the obvious fake keys included: pub:-:1024:1:2056FF2E487034E5:1137310238:::-: fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:C2E8D739F73C700D:1245930666:::-: fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-: fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:0E93AA73AA65421D:1202230939:::-: fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:79B457E4E6DF025C:1357547701:::-: fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-: fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:236A434AA74B06BF:1366844479:::-: fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:F5F4351EA4135B38:1250910569:::-: fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-: fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-: fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:0F7232D036580288:1140898452:::-: fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288: uid:::::::::Totally Legit Signing Key <mall...@example.org>: pub:-:1024:1:27801D7E6A45C816:1287310846:::-: fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816: uid:::::::::Totally Legit Signing Key <mall...@example.org>: ---------- assignee: docs@python components: Documentation messages: 337156 nosy: docs@python, tjollans priority: normal severity: normal status: open title: pubkeys.txt contains bogus keys type: enhancement versions: Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36191> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com