Upon further investigation, it has been confirmed that the malicious
code bearing our code signing certificate was not correctly signed, and
as such we are assured that no compromise of any of our infrastructure
has occurred.
The issue arose due to scanning tools that misidentified malware as
being signed by us, despite the signature being invalid. We understand
that the issue was related to the malware using PyInstaller and bundling
our official binaries, which means the malware did contain our public
certificate, but not as part of its file signature. The tool in question
has been fixed.
Unfortunately, there is no way to un-revoke the certificate, and so
binaries for 3.12.8 and 3.13.1 will remain as invalid. As mentioned in
the original notification, no other releases used this certificate, and
so only the listed versions are impacted. You can refer to
https://learn.microsoft.com/en-us/azure/trusted-signing/concept-trusted-signing-cert-management
for more information about how our signing processes work.
In summary, no compromise took place, our certificates and signing
processes should still be considered trustworthy, and the issue is now
considered closed.
-Python Security Response Team
On 8/28/2025 3:32 PM, Seth Larson wrote:
We have been made aware that the code signing certificates used for our
3.12.8 and 3.13.1 releases on Windows may have been used to sign
malicious code. As a precautionary measure, the certificate has been
revoked, which may result in Windows warning about or refusing to
execute these versions of Python. Additionally we’ve rotated all secrets
related to code signing for Windows.
At this point there is also no indication that CPython build
infrastructure or signing has been compromised after auditing the
artifacts and build processes for the mentioned Python releases. Our
signing infrastructure generates new certificates frequently, and so
these are the only affected releases (see the explanation at the end of
https://www.python.org/downloads/ <https://www.python.org/downloads/>).
There are no known issues with those releases, but the certificate has
been revoked to help reduce the risk of malicious code hiding behind our
reputation.
As a workaround, we suggest updating to 3.12.10 or 3.13.7.
At this stage, no further information is available, and the
investigation into whether, and how, our certificate was misused is
ongoing. We were already following secure practices for handling code
signing certificates, and have taken additional steps to ensure that our
infrastructure is not persistently compromised. We will provide updates
on this thread as they become available.
Please see the thread on discuss.python.org <http://discuss.python.org>
for more information or if you have questions: https://
discuss.python.org/t/windows-code-signing-certificates-for-
python-3-12-8-3-13-1-revoked/103356 <https://discuss.python.org/t/
windows-code-signing-certificates-for-python-3-12-8-3-13-1-revoked/103356>
_______________________________________________
Security-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/security-announce.python.org
Member address: [email protected]
