Message 337156 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	tjollans
Recipients	docs@python, tjollans
Date	2019-03-04.22:39:11
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1551739151.95.0.42643346766.issue36191@roundup.psfhosted.org>
In-reply-to

Content
The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/) This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints. Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html These are the obvious fake keys included: pub:-:1024:1:2056FF2E487034E5:1137310238:::-: fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:C2E8D739F73C700D:1245930666:::-: fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-: fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:0E93AA73AA65421D:1202230939:::-: fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:79B457E4E6DF025C:1357547701:::-: fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-: fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:236A434AA74B06BF:1366844479:::-: fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:F5F4351EA4135B38:1250910569:::-: fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-: fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-: fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:0F7232D036580288:1140898452:::-: fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288: uid:::::::::Totally Legit Signing Key <mallory@example.org>: pub:-:1024:1:27801D7E6A45C816:1287310846:::-: fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816: uid:::::::::Totally Legit Signing Key <mallory@example.org>:

The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/)

This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints.

Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html

These are the obvious fake keys included: 

pub:-:1024:1:2056FF2E487034E5:1137310238:::-:
fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:C2E8D739F73C700D:1245930666:::-:
fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-:
fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0E93AA73AA65421D:1202230939:::-:
fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:79B457E4E6DF025C:1357547701:::-:
fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-:
fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:236A434AA74B06BF:1366844479:::-:
fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:F5F4351EA4135B38:1250910569:::-:
fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-:
fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-:
fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0F7232D036580288:1140898452:::-:
fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:27801D7E6A45C816:1287310846:::-:
fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:

History
Date	User	Action	Args
2019-03-04 22:39:11	tjollans	set	recipients: + tjollans, docs@python
2019-03-04 22:39:11	tjollans	set	messageid: <1551739151.95.0.42643346766.issue36191@roundup.psfhosted.org>
2019-03-04 22:39:11	tjollans	link	issue36191 messages
2019-03-04 22:39:11	tjollans	create