close
The Wayback Machine - https://web.archive.org/web/20190916070543/https://github.com/python/pythondotorg/issues/1395
Skip to content

/pythondotorg

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pubkeys.txt contains bogus keys #1395

Closed
nanjekyejoannah opened this issue Mar 6, 2019 · 4 comments

Comments

@nanjekyejoannah
Copy link

commented Mar 6, 2019
edited

I have moved this issue from the Cpython bug tracker : https://bugs.python.org/issue36191 to here

Then, quoting Thomas Jollans (tjollans).

The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/)

This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints.

Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html

These are the obvious fake keys included:

pub:-:1024:1:2056FF2E487034E5:1137310238:::-:
fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:C2E8D739F73C700D:1245930666:::-:
fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-:
fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0E93AA73AA65421D:1202230939:::-:
fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:79B457E4E6DF025C:1357547701:::-:
fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-:
fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:236A434AA74B06BF:1366844479:::-:
fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:F5F4351EA4135B38:1250910569:::-:
fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-:
fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-:
fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0F7232D036580288:1140898452:::-:
fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:27801D7E6A45C816:1287310846:::-:
fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:

@ned-deily ned-deily self-assigned this Mar 13, 2019

@ned-deily

This comment has been minimized.

Sign in to view
Copy link
Member

commented Mar 13, 2019

Thanks for reporting this. I had not seen this open issue until today. I last updated the file and I'm not quite sure yet how those bogus keys got in there but they definitely shouldn't be there. That's embarrassing! I'll make sure they go away soon..
@berkerpeksag

This comment has been minimized.

Sign in to view
Copy link
Member

commented Apr 6, 2019

I'm guessing this needs to be fixed by a release manager. Let me know if it's possible to update the public keys by non-RMs.
@mattspring

This comment has been minimized.

Sign in to view
Copy link

commented Apr 19, 2019

Any progress on this? pubkeys.txt still has malicious keys in it and the alternate instructions uses short IDs that have the same effect.
I'm pretty sure what happened is that someone ran:

gpg --recv-keys 10250568 6A45C816 36580288 7D9DC8D2 18ADD4FF A4135B38 A74B06BF EA5BBD71 E6DF025C AA65421D 6F5E1540 F73C700D 487034E5

and just captured the output into the pubkeys file. That recv-keys command needs to be updated with the full fingerprint and the pubkeys.txt regenerated.

This is pretty scary, guys!
@EchterAgo EchterAgo referenced this issue Jun 30, 2019
Merged

@brainwane brainwane added bug content downloads labels Aug 11, 2019

@ned-deily

This comment has been minimized.

Sign in to view
Copy link
Member

commented Sep 12, 2019

There has been further discussion on the Python bug tracker (https://bugs.python.org/issue37967) of pubkeys.txt which led to the conclusion that publishing such a key file is not a good idea, especially as it promotes a false sense of security. We have requested that the file be removed from python.org (tjat may take some days) and have updated the wording in the OpenPGP section of the Downloads page of the website (https://www.python.org/downloads/). Thanks for bringing up the issue and my apologies that it has taken so long to resolve.

@ned-deily ned-deily closed this Sep 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ned-deily ned-deily

Labels
bug content downloads
Projects
None yet
Milestone
No milestone
5 participants
@nanjekyejoannah @ned-deily @berkerpeksag @mattspring @brainwane
You can’t perform that action at this time.