[issue37967] Beta GPG signature check failing
Christian Heimes
report at bugs.python.org
Wed Sep 11 12:49:27 EDT 2019
Christian Heimes <lists at cheimes.de> added the comment:
If you use pubkeys.txt from https://www.python.org/static/files/pubkeys.txt, then GPG verification gives you no additional security. An attack with write access to www.python.org or access to the private key of www.python.org can easily replace the pubkeys.txt with a key file under his control. You only get additional security if you retrieve the key from a different location *and* verify that the key owned by Łukasz.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37967>
_______________________________________
More information about the Python-bugs-list
mailing list