Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pubkeys.txt contains bogus keys #1395

Closed
nanjekyejoannah opened this issue Mar 6, 2019 · 4 comments

Comments

@nanjekyejoannah
Copy link

commented Mar 6, 2019

I have moved this issue from the Cpython bug tracker : https://bugs.python.org/issue36191 to here

Then, quoting Thomas Jollans (tjollans).

The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/)

This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints.

Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html

These are the obvious fake keys included:

pub:-:1024:1:2056FF2E487034E5:1137310238:::-:
fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:C2E8D739F73C700D:1245930666:::-:
fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-:
fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0E93AA73AA65421D:1202230939:::-:
fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:79B457E4E6DF025C:1357547701:::-:
fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-:
fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:236A434AA74B06BF:1366844479:::-:
fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:F5F4351EA4135B38:1250910569:::-:
fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-:
fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-:
fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0F7232D036580288:1140898452:::-:
fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:27801D7E6A45C816:1287310846:::-:
fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:

@ned-deily ned-deily self-assigned this Mar 13, 2019

@ned-deily

This comment has been minimized.

Copy link
Member

commented Mar 13, 2019

Thanks for reporting this. I had not seen this open issue until today. I last updated the file and I'm not quite sure yet how those bogus keys got in there but they definitely shouldn't be there. That's embarrassing! I'll make sure they go away soon..

@berkerpeksag

This comment has been minimized.

Copy link
Member

commented Apr 6, 2019

I'm guessing this needs to be fixed by a release manager. Let me know if it's possible to update the public keys by non-RMs.

@mattspring

This comment has been minimized.

Copy link

commented Apr 19, 2019

Any progress on this? pubkeys.txt still has malicious keys in it and the alternate instructions uses short IDs that have the same effect.
I'm pretty sure what happened is that someone ran:

gpg --recv-keys 10250568 6A45C816 36580288 7D9DC8D2 18ADD4FF A4135B38 A74B06BF EA5BBD71 E6DF025C AA65421D 6F5E1540 F73C700D 487034E5

and just captured the output into the pubkeys file. That recv-keys command needs to be updated with the full fingerprint and the pubkeys.txt regenerated.

This is pretty scary, guys!

@ned-deily

This comment has been minimized.

Copy link
Member

commented Sep 12, 2019

There has been further discussion on the Python bug tracker (https://bugs.python.org/issue37967) of pubkeys.txt which led to the conclusion that publishing such a key file is not a good idea, especially as it promotes a false sense of security. We have requested that the file be removed from python.org (tjat may take some days) and have updated the wording in the OpenPGP section of the Downloads page of the website (https://www.python.org/downloads/). Thanks for bringing up the issue and my apologies that it has taken so long to resolve.

@ned-deily ned-deily closed this Sep 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.