Totally Legit Signing Key?

Thomas Jollans tjol at tjol.eu
Mon Mar 4 17:41:07 EST 2019 

On 04/03/2019 20:37, Peter Otten wrote:
> For once I tried to verify a download from python.org, following the steps outlined at
> 
> https://www.python.org/downloads/#pubkeys
> 
> """
> You can import the release manager public keys by either downloading the public key file from here and then running
> 
> gpg --import pubkeys.txt
> """
> 
> When I ran the command above I saw
> 
> $ gpg --import pubkeys.txt 
> gpg: Schlüssel 6F5E1540: "Ned Deily <nad at acm.org>" 2 neue Signaturen
> gpg: Schlüssel 6A45C816: "Anthony Baxter <anthony at interlink.com.au>" nicht geändert
> gpg: Schlüssel 36580288: "Georg Brandl (Python release signing key) <georg at python.org>" 2 neue Signaturen
> gpg: Schlüssel 7D9DC8D2: "Martin v. Löwis <martin at v.loewis.de>" nicht geändert
> gpg: Schlüssel 18ADD4FF: "Benjamin Peterson <bp at benjamin.pe>" 3 neue Signaturen
> gpg: Schlüssel A4135B38: "Benjamin Peterson <benjamin at python.org>" 1 neue Signatur
> gpg: Schlüssel A74B06BF: "Barry Warsaw <barry at warsaw.us>" 138 neue Signaturen
> gpg: Schlüssel EA5BBD71: "Barry A. Warsaw <barry at warsaw.us>" 6 neue Signaturen
> gpg: Schlüssel E6DF025C: "Ronald Oussoren <ronaldoussoren at mac.com>" nicht geändert
> gpg: Schlüssel F73C700D: "Larry Hastings <larry at hastings.org>" 2 neue Signaturen
> gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <nad at python.org>" 1 neue User-ID
> gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <nad at python.org>" 20 neue Signaturen
> gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve.dower at microsoft.com>" 8 neue Signaturen
> gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <lukasz at langa.pl>" importiert
> gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mallory at example.org>" importiert
> [...]

Everything's working fine on your end. If you have a closer look, you'll
see that all of the "Totally Legit" keys have key IDs that are identical
to key IDs of actual Python release managers. e.g. in the last line,
EA5BBD71 refers to the key

pub   rsa1024 2015-05-22 [C]
      801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71
uid           [ unknown] Totally Legit Signing Key <mallory at example.org>

but it ALSO refers to the key

pub   dsa1024 2005-11-24 [SC]
      DBBF2EEBF925FAADCF1F3FFFD9866941EA5BBD71
uid           [ unknown] Barry A. Warsaw <barry at warsaw.us>
uid           [ unknown] Barry A. Warsaw <barry at wooz.org>
uid           [ unknown] Barry A. Warsaw <barry at python.org>
uid           [ unknown] Barry A. Warsaw <barry at canonical.com>
uid           [ unknown] Barry Warsaw (GNU Mailman) <barry at list.org>
uid           [ unknown] Barry A. Warsaw <barry.warsaw at canonical.com>
sub   elg2048 2005-11-24 [E]

The thing is that 32-bit key IDs are not secure and can easily be
cloned. [1]

I imagine that Barry at least knows this, seeing as he apparently cloned
his own old (compromised) key:

pub   rsa1024 2014-06-16 [SCEA] [revoked: 2016-08-16]
      2C7E264D238159CB07A3C350192720F7EA5BBD71
uid           [ revoked] Barry A. Warsaw <barry at warsaw.us>

What I imagine happened here is that whoever exported the pubkeys.txt
file did so on the basis of 32-bit key IDs. This is not ideal, as it
pulled in bogus keys, but there's no real harm done.

For good measure, I've put this on bpo (36191)

-- Thomas

[1] https://evil32.com/

> 
> Now "totally legit" does sound like anything but "totally legit". Is there a 
> problem with my machine, or python.org, or is this all "totally legit"?
> 
> Advice or pointers welcome.
> 
>

More information about the Python-list mailing list