Peter Otten <__pete...@web.de> writes: > $ gpg --import pubkeys.txt > […] > gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) > <steve.do...@microsoft.com>" 8 neue Signaturen > gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) > <luk...@langa.pl>" importiert > gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key > <mall...@example.org>" importiert > gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key > <mall...@example.org>" importiert > gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key > <mall...@example.org>" importiert > gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key > <mall...@example.org>" importiert > gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key > <mall...@example.org>" importiert > gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key > <mall...@example.org>" importiert > [...] > > Now "totally legit" does sound like anything but "totally legit".
Another clue is in the email address for that key: the ‘example.org’ domain is guaranteed to never resolve to any machine on the internet. There's nothing stopping anyone putting a fake email address, and any description they like, into a GnuPG userid. This was an inexpensive way to discover that :-) > Is there a problem with my machine, or python.org, or is this all > "totally legit"? Your computer, and your GnuPG program, are working as intended. Those specific signatures are made with a key that is bogus (and has been constructed to look as fake as it in fact is), and so you can ignore them. > Advice or pointers welcome. Cryptographic signatures should be trusted no more than you trust the provenance of the key that made the signature. -- \ “Human reason is snatching everything to itself, leaving | `\ nothing for faith.” —Bernard of Clairvaux, 1090–1153 CE | _o__) | Ben Finney -- https://mail.python.org/mailman/listinfo/python-list
