This repository has been archived by the owner. It is now read-only.

pypi register page forces insecure 8 char PGP key ID #76

Closed
ewdurbin opened this Issue Oct 3, 2013 · 13 comments

Comments

Projects
None yet
5 participants
@ewdurbin
Copy link
Member

ewdurbin commented Oct 3, 2013

Originally reported by: Hans-Christoph Steiner (Bitbucket: eighthave, GitHub: eighthave)


I just signed up for an account on pypi to upload my python projects. Its a great site, and I've been happy to see pypi start to take security seriously. I was happy to see that the registration procedure included a spot to put my PGP key ID. Unfortunately, when I put in my 16 char key ID, it told me that it wasn't supported. When I put in the last 8 chars, then it worked.

The problem is that 8 char key IDs are easily spoofable. Ideally, pypi would request at least 16 chars. It should definitely allow 16 chars, and not force the insecure 8 char standard.

For more on this topic, including how to generate a PGP that matches any 8 char key ID:
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html


@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Oct 3, 2013

Original comment by Donald Stufft (Bitbucket: dstufft, GitHub: dstufft):


So this is correct, but I've not been very concerned about it because to my knowledge nothing actually uses those keys. I'm working on a PyPI 2.0 and this is one of the things I plan on fixing in that.

@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Oct 3, 2013

Original comment by Hans-Christoph Steiner (Bitbucket: eighthave, GitHub: eighthave):


I've seen some releases posted on pypi that include a pgp sig. I imagine that those PGP sigs are related to the PGP key that is specified. Or is it for something else?

@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Apr 15, 2014

Original comment by Robert Buchholz (Bitbucket: rbuchholz, GitHub: rbuchholz):


If it's not used for anything, then just remove it. There's no use in collecting 32 bit key IDs. It only gives the impression of it being used for improved security when it is not.

@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Apr 15, 2014

Original comment by dwt (Bitbucket: dwt, GitHub: dwt):


+1

@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Jul 28, 2014

Original comment by Daira Hopwood (Bitbucket: daira_hopwood, GitHub: Unknown):


+1 to removing it. I had been under the impression that PyPI did check signatures because it asked for this field.

@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Jan 22, 2015

Original comment by Paul Furley (Bitbucket: paulfurley, GitHub: paulfurley):


I've just encountered this too: tried to enter my long key ID but it was rejected - refuse to enter short ID :)

+1 for removing this if it's dead code.

@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Mar 9, 2016

Original comment by Bernhard M. Wiedemann (Bitbucket: bmwiedemann, GitHub: bmwiedemann):


This bug is still there.

@ewdurbin ewdurbin added major and removed bug labels Jun 18, 2016

@nitram2342

This comment has been minimized.

Copy link

nitram2342 commented Jan 13, 2017

Same here.

@amarao

This comment has been minimized.

Copy link

amarao commented Jun 6, 2017

I've just registered at pypi and I was really troubled by gpg id field. It rejected my gpg id as invalid format without saying anything helpful.

It took me a bit of googling to understand that 32-bits IDs are still in use, and another round of googling to find how to force gpg to show me 'short id' instead of normal one.

@dstufft

This comment has been minimized.

Copy link
Member

dstufft commented Jun 6, 2017

It's OK, GPG is basically worthless on PyPI anyways.

@gene1wood

This comment has been minimized.

Copy link

gene1wood commented Jan 20, 2018

Related support request

@gene1wood

This comment has been minimized.

Copy link

gene1wood commented Jan 20, 2018

Here's some more context for @dstufft 's comment about GPG being worthless on Pypi in pypa/twine#157

@ewdurbin

This comment has been minimized.

Copy link
Member

ewdurbin commented Jan 20, 2018

I'm going to remove GPG key submission from the registration and user form on PyPI Legacy. It only serves to create additional confusion.

We'll continue to display them as they are if a user has them registered, but new registrations have no bother to display the field.

pypa/warehouse#2172 invalidates GPG key additions as a feature of warehouse, and as that is coming up on being real (no for real though), It seems prudent to remove the functionality from PyPI legacy today.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.