Issue 36191: pubkeys.txt contains bogus keys (original) (raw)

Issue36191

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/80372

classification

process

Created on 2019-03-04 22:39 by tjollans, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (4)
msg337156 - (view)	Author: Thomas Jollans (tjollans)	Date: 2019-03-04 22:39
The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/) This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints. Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html These are the obvious fake keys included: pub:-:1024:1:2056FF2E487034E5:1137310238:::-: fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:C2E8D739F73C700D:1245930666:::-: fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-: fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:0E93AA73AA65421D:1202230939:::-: fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:79B457E4E6DF025C:1357547701:::-: fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-: fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:236A434AA74B06BF:1366844479:::-: fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:F5F4351EA4135B38:1250910569:::-: fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-: fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-: fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:0F7232D036580288:1140898452:::-: fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:27801D7E6A45C816:1287310846:::-: fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816: uid:::::::::Totally Legit Signing Key <mallory@example.org>:
msg337184 - (view)	Author: Karthikeyan Singaravelan (xtreak) *	Date: 2019-03-05 12:03
Thanks for the report but the tracker deals with bugs in CPython. python.org website has a Github repo and I think this can be reported at https://github.com/python/pythondotorg where it could get a better resolution. I would propose closing it as third party.
msg337287 - (view)	Author: Joannah Nanjekye (nanjekyejoannah) *	Date: 2019-03-06 10:09
Agreed @xtreak, I have moved this issue to the respective Github repository https://github.com/python/pythondotorg/issues/1395 . I will close this issue.
msg352129 - (view)	Author: Ned Deily (ned.deily) *	Date: 2019-09-12 11:33
(See later discussion and resolution in Issue37967.)