Issue 36191: pubkeys.txt contains bogus keys (original) (raw)
Issue36191
This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
This issue has been migrated to GitHub: https://github.com/python/cpython/issues/80372
classification
Title: | pubkeys.txt contains bogus keys | ||
---|---|---|---|
Type: | enhancement | Stage: | resolved |
Components: | Documentation | Versions: | Python 3.7 |
process
Status: | closed | Resolution: | |
---|---|---|---|
Dependencies: | Superseder: | ||
Assigned To: | docs@python | Nosy List: | docs@python, nanjekyejoannah, ned.deily, peter.otten, tjollans, xtreak |
Priority: | normal | Keywords: |
Created on 2019-03-04 22:39 by tjollans, last changed 2022-04-11 14:59 by admin. This issue is now closed.
Messages (4) | ||
---|---|---|
msg337156 - (view) | Author: Thomas Jollans (tjollans) | Date: 2019-03-04 22:39 |
The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/) This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints. Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html These are the obvious fake keys included: pub:-:1024:1:2056FF2E487034E5:1137310238:::-: fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:C2E8D739F73C700D:1245930666:::-: fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-: fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:0E93AA73AA65421D:1202230939:::-: fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:79B457E4E6DF025C:1357547701:::-: fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-: fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:236A434AA74B06BF:1366844479:::-: fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:F5F4351EA4135B38:1250910569:::-: fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-: fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-: fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:0F7232D036580288:1140898452:::-: fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:27801D7E6A45C816:1287310846:::-: fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816: uid:::::::::Totally Legit Signing Key <mallory@example.org>: | ||
msg337184 - (view) | Author: Karthikeyan Singaravelan (xtreak) * ![]() |
Date: 2019-03-05 12:03 |
Thanks for the report but the tracker deals with bugs in CPython. python.org website has a Github repo and I think this can be reported at https://github.com/python/pythondotorg where it could get a better resolution. I would propose closing it as third party. | ||
msg337287 - (view) | Author: Joannah Nanjekye (nanjekyejoannah) * ![]() |
Date: 2019-03-06 10:09 |
Agreed @xtreak, I have moved this issue to the respective Github repository https://github.com/python/pythondotorg/issues/1395 . I will close this issue. | ||
msg352129 - (view) | Author: Ned Deily (ned.deily) * ![]() |
Date: 2019-09-12 11:33 |
(See later discussion and resolution in Issue37967.) |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:59:12 | admin | set | github: 80372 |
2019-09-12 11:33:33 | ned.deily | set | nosy: + ned.deilymessages: + |
2019-03-06 10:14:17 | nanjekyejoannah | set | status: open -> closedstage: resolved |
2019-03-06 10:09:08 | nanjekyejoannah | set | nosy: + nanjekyejoannahmessages: + |
2019-03-05 14:44:42 | peter.otten | set | nosy: + peter.otten |
2019-03-05 12:03:05 | xtreak | set | nosy: + xtreakmessages: + |
2019-03-04 22:39:11 | tjollans | create |