On 04/03/2019 20:37, Peter Otten wrote:
> For once I tried to verify a download from python.org, following the steps
> outlined at
>
> https://www.python.org/downloads/#pubkeys
>
> """
> You can import the release manager public keys by either downloading the
> public key file from here and then running
>
> gpg --import pubkeys.txt
> """
>
> When I ran the command above I saw
>
> $ gpg --import pubkeys.txt
> gpg: Schlüssel 6F5E1540: "Ned Deily <n...@acm.org>" 2 neue Signaturen
> gpg: Schlüssel 6A45C816: "Anthony Baxter <anth...@interlink.com.au>" nicht
> geändert
> gpg: Schlüssel 36580288: "Georg Brandl (Python release signing key)
> <ge...@python.org>" 2 neue Signaturen
> gpg: Schlüssel 7D9DC8D2: "Martin v. Löwis <mar...@v.loewis.de>" nicht geändert
> gpg: Schlüssel 18ADD4FF: "Benjamin Peterson <b...@benjamin.pe>" 3 neue
> Signaturen
> gpg: Schlüssel A4135B38: "Benjamin Peterson <benja...@python.org>" 1 neue
> Signatur
> gpg: Schlüssel A74B06BF: "Barry Warsaw <ba...@warsaw.us>" 138 neue Signaturen
> gpg: Schlüssel EA5BBD71: "Barry A. Warsaw <ba...@warsaw.us>" 6 neue Signaturen
> gpg: Schlüssel E6DF025C: "Ronald Oussoren <ronaldousso...@mac.com>" nicht
> geändert
> gpg: Schlüssel F73C700D: "Larry Hastings <la...@hastings.org>" 2 neue
> Signaturen
> gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key)
> <n...@python.org>" 1 neue User-ID
> gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key)
> <n...@python.org>" 20 neue Signaturen
> gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing)
> <steve.do...@microsoft.com>" 8 neue Signaturen
> gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl)
> <luk...@langa.pl>" importiert
> gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key
> <mall...@example.org>" importiert
> gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key
> <mall...@example.org>" importiert
> gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key
> <mall...@example.org>" importiert
> gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key
> <mall...@example.org>" importiert
> gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key
> <mall...@example.org>" importiert
> gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key
> <mall...@example.org>" importiert
> [...]
Everything's working fine on your end. If you have a closer look, you'll
see that all of the "Totally Legit" keys have key IDs that are identical
to key IDs of actual Python release managers. e.g. in the last line,
EA5BBD71 refers to the key
pub rsa1024 2015-05-22 [C]
801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71
uid [ unknown] Totally Legit Signing Key <mall...@example.org>
but it ALSO refers to the key
pub dsa1024 2005-11-24 [SC]
DBBF2EEBF925FAADCF1F3FFFD9866941EA5BBD71
uid [ unknown] Barry A. Warsaw <ba...@warsaw.us>
uid [ unknown] Barry A. Warsaw <ba...@wooz.org>
uid [ unknown] Barry A. Warsaw <ba...@python.org>
uid [ unknown] Barry A. Warsaw <ba...@canonical.com>
uid [ unknown] Barry Warsaw (GNU Mailman) <ba...@list.org>
uid [ unknown] Barry A. Warsaw <barry.war...@canonical.com>
sub elg2048 2005-11-24 [E]
The thing is that 32-bit key IDs are not secure and can easily be
cloned. [1]
I imagine that Barry at least knows this, seeing as he apparently cloned
his own old (compromised) key:
pub rsa1024 2014-06-16 [SCEA] [revoked: 2016-08-16]
2C7E264D238159CB07A3C350192720F7EA5BBD71
uid [ revoked] Barry A. Warsaw <ba...@warsaw.us>
What I imagine happened here is that whoever exported the pubkeys.txt
file did so on the basis of 32-bit key IDs. This is not ideal, as it
pulled in bogus keys, but there's no real harm done.
For good measure, I've put this on bpo (36191)
-- Thomas
[1] https://evil32.com/
>
> Now "totally legit" does sound like anything but "totally legit". Is there a
> problem with my machine, or python.org, or is this all "totally legit"?
>
> Advice or pointers welcome.
>
>
--
https://mail.python.org/mailman/listinfo/python-list
