Re: Totally Legit Signing Key?
On 04/03/2019 20:37, Peter Otten wrote: > For once I tried to verify a download from python.org, following the steps > outlined at > > https://www.python.org/downloads/#pubkeys > > """ > You can import the release manager public keys by either downloading the > public key file from here and then running > > gpg --import pubkeys.txt > """ > > When I ran the command above I saw > > $ gpg --import pubkeys.txt > gpg: Schlüssel 6F5E1540: "Ned Deily " 2 neue Signaturen > gpg: Schlüssel 6A45C816: "Anthony Baxter " nicht > geändert > gpg: Schlüssel 36580288: "Georg Brandl (Python release signing key) > " 2 neue Signaturen > gpg: Schlüssel 7D9DC8D2: "Martin v. Löwis " nicht geändert > gpg: Schlüssel 18ADD4FF: "Benjamin Peterson " 3 neue > Signaturen > gpg: Schlüssel A4135B38: "Benjamin Peterson " 1 neue > Signatur > gpg: Schlüssel A74B06BF: "Barry Warsaw " 138 neue Signaturen > gpg: Schlüssel EA5BBD71: "Barry A. Warsaw " 6 neue Signaturen > gpg: Schlüssel E6DF025C: "Ronald Oussoren " nicht > geändert > gpg: Schlüssel F73C700D: "Larry Hastings " 2 neue > Signaturen > gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) > " 1 neue User-ID > gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) > " 20 neue Signaturen > gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) > " 8 neue Signaturen > gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) > " importiert > gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > [...] Everything's working fine on your end. If you have a closer look, you'll see that all of the "Totally Legit" keys have key IDs that are identical to key IDs of actual Python release managers. e.g. in the last line, EA5BBD71 refers to the key pub rsa1024 2015-05-22 [C] 801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71 uid [ unknown] Totally Legit Signing Key but it ALSO refers to the key pub dsa1024 2005-11-24 [SC] DBBF2EEBF925FAADCF1F3FFFD9866941EA5BBD71 uid [ unknown] Barry A. Warsaw uid [ unknown] Barry A. Warsaw uid [ unknown] Barry A. Warsaw uid [ unknown] Barry A. Warsaw uid [ unknown] Barry Warsaw (GNU Mailman) uid [ unknown] Barry A. Warsaw sub elg2048 2005-11-24 [E] The thing is that 32-bit key IDs are not secure and can easily be cloned. [1] I imagine that Barry at least knows this, seeing as he apparently cloned his own old (compromised) key: pub rsa1024 2014-06-16 [SCEA] [revoked: 2016-08-16] 2C7E264D238159CB07A3C350192720F7EA5BBD71 uid [ revoked] Barry A. Warsaw What I imagine happened here is that whoever exported the pubkeys.txt file did so on the basis of 32-bit key IDs. This is not ideal, as it pulled in bogus keys, but there's no real harm done. For good measure, I've put this on bpo (36191) -- Thomas [1] https://evil32.com/ > > Now "totally legit" does sound like anything but "totally legit". Is there a > problem with my machine, or python.org, or is this all "totally legit"? > > Advice or pointers welcome. > > -- https://mail.python.org/mailman/listinfo/python-list
Re: Totally Legit Signing Key?
On Tue, Mar 5, 2019 at 9:06 AM Ben Finney wrote: > > Peter Otten <__pete...@web.de> writes: > > > $ gpg --import pubkeys.txt > > […] > > gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) > > " 8 neue Signaturen > > gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG > > langa.pl) " importiert > > gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key > > " importiert > > gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key > > " importiert > > gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key > > " importiert > > gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key > > " importiert > > gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key > > " importiert > > gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key > > " importiert > > [...] > > > > Now "totally legit" does sound like anything but "totally legit". > > Another clue is in the email address for that key: the ‘example.org’ > domain is guaranteed to never resolve to any machine on the internet. (More or less - that domain DOES resolve (and has an explanatory web site running on both HTTP and HTTPS), but it's guaranteed never to be anything more significant than an example.) Also of note is that the user portion of the address is "Mallory", a well-known member of the "Alice and Bob" set of names. https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_characters So I would expect these keys to be used for example malicious messages or mis-signed content, to test the recognition of legit signatures. If those keys are included in the pubkeys.txt download, it's minorly wasteful, but not a major problem. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Re: Totally Legit Signing Key?
Peter Otten <__pete...@web.de> writes: > $ gpg --import pubkeys.txt > […] > gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) > " 8 neue Signaturen > gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) > " importiert > gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key > " importiert > [...] > > Now "totally legit" does sound like anything but "totally legit". Another clue is in the email address for that key: the ‘example.org’ domain is guaranteed to never resolve to any machine on the internet. There's nothing stopping anyone putting a fake email address, and any description they like, into a GnuPG userid. This was an inexpensive way to discover that :-) > Is there a problem with my machine, or python.org, or is this all > "totally legit"? Your computer, and your GnuPG program, are working as intended. Those specific signatures are made with a key that is bogus (and has been constructed to look as fake as it in fact is), and so you can ignore them. > Advice or pointers welcome. Cryptographic signatures should be trusted no more than you trust the provenance of the key that made the signature. -- \“Human reason is snatching everything to itself, leaving | `\ nothing for faith.” —Bernard of Clairvaux, 1090–1153 CE | _o__) | Ben Finney -- https://mail.python.org/mailman/listinfo/python-list