osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Totally Legit Signing Key?


On 04/03/2019 20:37, Peter Otten wrote:
> For once I tried to verify a download from python.org, following the steps outlined at
> 
> https://www.python.org/downloads/#pubkeys
> 
> """
> You can import the release manager public keys by either downloading the public key file from here and then running
> 
> gpg --import pubkeys.txt
> """
> 
> When I ran the command above I saw
> 
> $ gpg --import pubkeys.txt 
> gpg: Schl?ssel 6F5E1540: "Ned Deily <nad at acm.org>" 2 neue Signaturen
> gpg: Schl?ssel 6A45C816: "Anthony Baxter <anthony at interlink.com.au>" nicht ge?ndert
> gpg: Schl?ssel 36580288: "Georg Brandl (Python release signing key) <georg at python.org>" 2 neue Signaturen
> gpg: Schl?ssel 7D9DC8D2: "Martin v. L?wis <martin at v.loewis.de>" nicht ge?ndert
> gpg: Schl?ssel 18ADD4FF: "Benjamin Peterson <bp at benjamin.pe>" 3 neue Signaturen
> gpg: Schl?ssel A4135B38: "Benjamin Peterson <benjamin at python.org>" 1 neue Signatur
> gpg: Schl?ssel A74B06BF: "Barry Warsaw <barry at warsaw.us>" 138 neue Signaturen
> gpg: Schl?ssel EA5BBD71: "Barry A. Warsaw <barry at warsaw.us>" 6 neue Signaturen
> gpg: Schl?ssel E6DF025C: "Ronald Oussoren <ronaldoussoren at mac.com>" nicht ge?ndert
> gpg: Schl?ssel F73C700D: "Larry Hastings <larry at hastings.org>" 2 neue Signaturen
> gpg: Schl?ssel AA65421D: "Ned Deily (Python release signing key) <nad at python.org>" 1 neue User-ID
> gpg: Schl?ssel AA65421D: "Ned Deily (Python release signing key) <nad at python.org>" 20 neue Signaturen
> gpg: Schl?ssel 487034E5: "Steve Dower (Python Release Signing) <steve.dower at microsoft.com>" 8 neue Signaturen
> gpg: Schl?ssel 10250568: ?ffentlicher Schl?ssel "?ukasz Langa (GPG langa.pl) <lukasz at langa.pl>" importiert
> gpg: Schl?ssel 487034E5: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schl?ssel F73C700D: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schl?ssel 6F5E1540: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schl?ssel AA65421D: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schl?ssel E6DF025C: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schl?ssel EA5BBD71: ?ffentlicher Schl?ssel "Totally Legit Signing Key <mallory at example.org>" importiert
> [...]

Everything's working fine on your end. If you have a closer look, you'll
see that all of the "Totally Legit" keys have key IDs that are identical
to key IDs of actual Python release managers. e.g. in the last line,
EA5BBD71 refers to the key

pub   rsa1024 2015-05-22 [C]
      801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71
uid           [ unknown] Totally Legit Signing Key <mallory at example.org>

but it ALSO refers to the key

pub   dsa1024 2005-11-24 [SC]
      DBBF2EEBF925FAADCF1F3FFFD9866941EA5BBD71
uid           [ unknown] Barry A. Warsaw <barry at warsaw.us>
uid           [ unknown] Barry A. Warsaw <barry at wooz.org>
uid           [ unknown] Barry A. Warsaw <barry at python.org>
uid           [ unknown] Barry A. Warsaw <barry at canonical.com>
uid           [ unknown] Barry Warsaw (GNU Mailman) <barry at list.org>
uid           [ unknown] Barry A. Warsaw <barry.warsaw at canonical.com>
sub   elg2048 2005-11-24 [E]

The thing is that 32-bit key IDs are not secure and can easily be
cloned. [1]

I imagine that Barry at least knows this, seeing as he apparently cloned
his own old (compromised) key:

pub   rsa1024 2014-06-16 [SCEA] [revoked: 2016-08-16]
      2C7E264D238159CB07A3C350192720F7EA5BBD71
uid           [ revoked] Barry A. Warsaw <barry at warsaw.us>

What I imagine happened here is that whoever exported the pubkeys.txt
file did so on the basis of 32-bit key IDs. This is not ideal, as it
pulled in bogus keys, but there's no real harm done.

For good measure, I've put this on bpo (36191)

-- Thomas

[1] https://evil32.com/

> 
> Now "totally legit" does sound like anything but "totally legit". Is there a 
> problem with my machine, or python.org, or is this all "totally legit"?
> 
> Advice or pointers welcome.
> 
>