Totally Legit Signing Key?
Ben Finney
ben+python at benfinney.id.au
Mon Mar 4 17:04:47 EST 2019
Peter Otten <__peter__ at web.de> writes:
> $ gpg --import pubkeys.txt
> […]
> gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve.dower at microsoft.com>" 8 neue Signaturen
> gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <lukasz at langa.pl>" importiert
> gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> [...]
>
> Now "totally legit" does sound like anything but "totally legit".
Another clue is in the email address for that key: the ‘example.org’
domain is guaranteed to never resolve to any machine on the internet.
There's nothing stopping anyone putting a fake email address, and any
description they like, into a GnuPG userid. This was an inexpensive way
to discover that :-)
> Is there a problem with my machine, or python.org, or is this all
> "totally legit"?
Your computer, and your GnuPG program, are working as intended. Those
specific signatures are made with a key that is bogus (and has been
constructed to look as fake as it in fact is), and so you can ignore
them.
> Advice or pointers welcome.
Cryptographic signatures should be trusted no more than you trust the
provenance of the key that made the signature.
--
\ “Human reason is snatching everything to itself, leaving |
`\ nothing for faith.” —Bernard of Clairvaux, 1090–1153 CE |
_o__) |
Ben Finney
More information about the Python-list
mailing list