Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
pubkeys.txt contains bogus keys #1395
I have moved this issue from the Cpython bug tracker : https://bugs.python.org/issue36191 to here
Then, quoting Thomas Jollans (tjollans).
The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/)
This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints.
Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html
These are the obvious fake keys included:
Any progress on this? pubkeys.txt still has malicious keys in it and the alternate instructions uses short IDs that have the same effect.
and just captured the output into the pubkeys file. That recv-keys command needs to be updated with the full fingerprint and the pubkeys.txt regenerated.
This is pretty scary, guys!
There has been further discussion on the Python bug tracker (https://bugs.python.org/issue37967) of