Totally Legit Signing Key?

Ben Finney ben+python at benfinney.id.au
Mon Mar 4 17:04:47 EST 2019 

Peter Otten <__peter__ at web.de> writes:

> $ gpg --import pubkeys.txt 
> […]
> gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve.dower at microsoft.com>" 8 neue Signaturen
> gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <lukasz at langa.pl>" importiert
> gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> [...]
>
> Now "totally legit" does sound like anything but "totally legit".

Another clue is in the email address for that key: the ‘example.org’
domain is guaranteed to never resolve to any machine on the internet.

There's nothing stopping anyone putting a fake email address, and any
description they like, into a GnuPG userid. This was an inexpensive way
to discover that :-)

> Is there a problem with my machine, or python.org, or is this all
> "totally legit"?

Your computer, and your GnuPG program, are working as intended. Those
specific signatures are made with a key that is bogus (and has been
constructed to look as fake as it in fact is), and so you can ignore
them.

> Advice or pointers welcome.

Cryptographic signatures should be trusted no more than you trust the
provenance of the key that made the signature.

-- 
 \            “Human reason is snatching everything to itself, leaving |
  `\           nothing for faith.” —Bernard of Clairvaux, 1090–1153 CE |
_o__)                                                                  |
Ben Finney

More information about the Python-list mailing list