Totally Legit Signing Key?

Peter Otten __peter__ at web.de
Mon Mar 4 14:37:19 EST 2019 

For once I tried to verify a download from python.org, following the steps outlined at

https://www.python.org/downloads/#pubkeys

"""
You can import the release manager public keys by either downloading the public key file from here and then running

gpg --import pubkeys.txt
"""

When I ran the command above I saw

$ gpg --import pubkeys.txt 
gpg: Schlüssel 6F5E1540: "Ned Deily <nad at acm.org>" 2 neue Signaturen
gpg: Schlüssel 6A45C816: "Anthony Baxter <anthony at interlink.com.au>" nicht geändert
gpg: Schlüssel 36580288: "Georg Brandl (Python release signing key) <georg at python.org>" 2 neue Signaturen
gpg: Schlüssel 7D9DC8D2: "Martin v. Löwis <martin at v.loewis.de>" nicht geändert
gpg: Schlüssel 18ADD4FF: "Benjamin Peterson <bp at benjamin.pe>" 3 neue Signaturen
gpg: Schlüssel A4135B38: "Benjamin Peterson <benjamin at python.org>" 1 neue Signatur
gpg: Schlüssel A74B06BF: "Barry Warsaw <barry at warsaw.us>" 138 neue Signaturen
gpg: Schlüssel EA5BBD71: "Barry A. Warsaw <barry at warsaw.us>" 6 neue Signaturen
gpg: Schlüssel E6DF025C: "Ronald Oussoren <ronaldoussoren at mac.com>" nicht geändert
gpg: Schlüssel F73C700D: "Larry Hastings <larry at hastings.org>" 2 neue Signaturen
gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <nad at python.org>" 1 neue User-ID
gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <nad at python.org>" 20 neue Signaturen
gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve.dower at microsoft.com>" 8 neue Signaturen
gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <lukasz at langa.pl>" importiert
gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
[...]

Now "totally legit" does sound like anything but "totally legit". Is there a 
problem with my machine, or python.org, or is this all "totally legit"?

Advice or pointers welcome.

More information about the Python-list mailing list