Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
pubkeys.txt contains bogus keys
See original GitHub issueI have moved this issue from the Cpython bug tracker : https://bugs.python.org/issue36191 to here
Then, quoting Thomas Jollans (tjollans).
The file https://www.python.org/static/files/pubkeys.txt contains some bogus GPG keys with 32-bit key IDs identical to actual release manager key IDs. (see below) I imagine these slipped in by accident and may have been created by someone trying to make a point. (see also: https://evil32.com/)
This is obviously not a serious security concern, but it would be a better look if the file contained only the real keys, and if https://www.python.org/downloads/ listed fingerprints.
Pointed out by Peter Otten on python-list. https://mail.python.org/pipermail/python-list/2019-March/739788.html
These are the obvious fake keys included:
pub:-:1024:1:2056FF2E487034E5:1137310238:::-:
fpr:::::::::BA749AC731BE5A28A65446C02056FF2E487034E5:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:C2E8D739F73C700D:1245930666:::-:
fpr:::::::::7F54F95AC61EE1465CFE7A1FC2E8D739F73C700D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FABF4E7B6F5E1540:1512586955:::-:
fpr:::::::::FD01BA54AE5D9B9C468E65E3FABF4E7B6F5E1540:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0E93AA73AA65421D:1202230939:::-:
fpr:::::::::41A239476ABD6CBA8FC8FCA90E93AA73AA65421D:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:79B457E4E6DF025C:1357547701:::-:
fpr:::::::::9EB49DC166F6400EF5DA53F579B457E4E6DF025C:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:FEA3DC6DEA5BBD71:1432286066:::-:
fpr:::::::::801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:236A434AA74B06BF:1366844479:::-:
fpr:::::::::B43A1F9EDE867FE48AD1D718236A434AA74B06BF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:F5F4351EA4135B38:1250910569:::-:
fpr:::::::::4F3B83264BC0C99EDADBF91FF5F4351EA4135B38:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:D84E17F918ADD4FF:1484232656:::-:
fpr:::::::::3A3E83C9DB23EF8B5E5DADBED84E17F918ADD4FF:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:876CCCE17D9DC8D2:1164804081:::-:
fpr:::::::::C1FCAEABC21C54C03120EF6A876CCCE17D9DC8D2:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:0F7232D036580288:1140898452:::-:
fpr:::::::::12FF24C7BCEE1AE82EC38B3A0F7232D036580288:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
pub:-:1024:1:27801D7E6A45C816:1287310846:::-:
fpr:::::::::8CA98EEE6FE14D11DF37694927801D7E6A45C816:
uid:::::::::Totally Legit Signing Key <mallory@example.org>:
Issue Analytics
- State:
- Created 5 years ago
- Reactions:4
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks for reporting this. I had not seen this open issue until today. I last updated the file and I’m not quite sure yet how those bogus keys got in there but they definitely shouldn’t be there. That’s embarrassing! I’ll make sure they go away soon…
Six months later, this file is still present and still has the Mallory keys. It was also the first Google search result URL for
pgp key nad@python.orgafter I went looking when GnuPG complained because Python 3.7.7 is signed with a previously unseen key for an email address on the key.