[New-bugs-announce] [issue36191] pubkeys.txt contains bogus keys
Thomas Jollans
report at bugs.python.org
Mon Mar 4 17:39:11 EST 2019
New submission from Thomas Jollans <tjol at tjol.eu>:
The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/)
This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints.
Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html
These are the obvious fake keys included:
pub:-:1024:1:2056FF2E487034E5:1137310238:::-:
fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:C2E8D739F73C700D:1245930666:::-:
fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-:
fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:0E93AA73AA65421D:1202230939:::-:
fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:79B457E4E6DF025C:1357547701:::-:
fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-:
fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:236A434AA74B06BF:1366844479:::-:
fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:F5F4351EA4135B38:1250910569:::-:
fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-:
fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-:
fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:0F7232D036580288:1140898452:::-:
fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
pub:-:1024:1:27801D7E6A45C816:1287310846:::-:
fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816:
uid:::::::::Totally Legit Signing Key <mallory at example.org>:
----------
assignee: docs at python
components: Documentation
messages: 337156
nosy: docs at python, tjollans
priority: normal
severity: normal
status: open
title: pubkeys.txt contains bogus keys
type: enhancement
versions: Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36191>
_______________________________________
More information about the New-bugs-announce
mailing list