Totally Legit Signing Key?

[Peter Otten]

For once I tried to verify a download from python.org, following the steps outlined at

https://www.python.org/downloads/#pubkeys

"""
You can import the release manager public keys by either downloading the public key file from here and then running

gpg --import pubkeys.txt
"""

When I ran the command above I saw

$ gpg --import pubkeys.txt
gpg: Schlüssel 6F5E1540: "Ned Deily <n...@acm.org>" 2 neue Signaturen
gpg: Schlüssel 6A45C816: "Anthony Baxter <ant...@interlink.com.au>" nicht geändert
gpg: Schlüssel 36580288: "Georg Brandl (Python release signing key) <ge...@python.org>" 2 neue Signaturen
gpg: Schlüssel 7D9DC8D2: "Martin v. Löwis <mar...@v.loewis.de>" nicht geändert
gpg: Schlüssel 18ADD4FF: "Benjamin Peterson <b...@benjamin.pe>" 3 neue Signaturen
gpg: Schlüssel A4135B38: "Benjamin Peterson <benj...@python.org>" 1 neue Signatur
gpg: Schlüssel A74B06BF: "Barry Warsaw <ba...@warsaw.us>" 138 neue Signaturen
gpg: Schlüssel EA5BBD71: "Barry A. Warsaw <ba...@warsaw.us>" 6 neue Signaturen
gpg: Schlüssel E6DF025C: "Ronald Oussoren <ronaldo...@mac.com>" nicht geändert
gpg: Schlüssel F73C700D: "Larry Hastings <la...@hastings.org>" 2 neue Signaturen
gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <n...@python.org>" 1 neue User-ID
gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <n...@python.org>" 20 neue Signaturen
gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve...@microsoft.com>" 8 neue Signaturen
gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <luk...@langa.pl>" importiert
gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
[...]

Now "totally legit" does sound like anything but "totally legit". Is there a
problem with my machine, or python.org, or is this all "totally legit"?

Advice or pointers welcome.

[Ben Finney]

Peter Otten <__pet...@web.de> writes:

> $ gpg --import pubkeys.txt
> […]

> gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve...@microsoft.com>" 8 neue Signaturen
> gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <luk...@langa.pl>" importiert
> gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> [...]
>
> Now "totally legit" does sound like anything but "totally legit".

Another clue is in the email address for that key: the ‘example.org’
domain is guaranteed to never resolve to any machine on the internet.

There's nothing stopping anyone putting a fake email address, and any
description they like, into a GnuPG userid. This was an inexpensive way
to discover that :-)

> Is there a problem with my machine, or python.org, or is this all
> "totally legit"?

Your computer, and your GnuPG program, are working as intended. Those
specific signatures are made with a key that is bogus (and has been
constructed to look as fake as it in fact is), and so you can ignore
them.

> Advice or pointers welcome.

Cryptographic signatures should be trusted no more than you trust the
provenance of the key that made the signature.

--
\ “Human reason is snatching everything to itself, leaving |
`\ nothing for faith.” —Bernard of Clairvaux, 1090–1153 CE |
_o__) |
Ben Finney

[Chris Angelico]

On Tue, Mar 5, 2019 at 9:06 AM Ben Finney <ben+p...@benfinney.id.au> wrote:
>
> Peter Otten <__pet...@web.de> writes:
>
> > $ gpg --import pubkeys.txt
> > […]
> > gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve...@microsoft.com>" 8 neue Signaturen
> > gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <luk...@langa.pl>" importiert
> > gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> > gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> > gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> > gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> > gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> > gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> > [...]
> >
> > Now "totally legit" does sound like anything but "totally legit".
>
> Another clue is in the email address for that key: the ‘example.org’
> domain is guaranteed to never resolve to any machine on the internet.

(More or less - that domain DOES resolve (and has an explanatory web
site running on both HTTP and HTTPS), but it's guaranteed never to be
anything more significant than an example.)

Also of note is that the user portion of the address is "Mallory", a
well-known member of the "Alice and Bob" set of names.

https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_characters

So I would expect these keys to be used for example malicious messages
or mis-signed content, to test the recognition of legit signatures.

If those keys are included in the pubkeys.txt download, it's minorly
wasteful, but not a major problem.

ChrisA

[Thomas Jollans]

On 04/03/2019 20:37, Peter Otten wrote:
> For once I tried to verify a download from python.org, following the steps outlined at
>
> https://www.python.org/downloads/#pubkeys
>
> """
> You can import the release manager public keys by either downloading the public key file from here and then running
>
> gpg --import pubkeys.txt
> """
>
> When I ran the command above I saw
>

> $ gpg --import pubkeys.txt

> gpg: Schlüssel 6F5E1540: "Ned Deily <n...@acm.org>" 2 neue Signaturen
> gpg: Schlüssel 6A45C816: "Anthony Baxter <ant...@interlink.com.au>" nicht geändert
> gpg: Schlüssel 36580288: "Georg Brandl (Python release signing key) <ge...@python.org>" 2 neue Signaturen
> gpg: Schlüssel 7D9DC8D2: "Martin v. Löwis <mar...@v.loewis.de>" nicht geändert
> gpg: Schlüssel 18ADD4FF: "Benjamin Peterson <b...@benjamin.pe>" 3 neue Signaturen
> gpg: Schlüssel A4135B38: "Benjamin Peterson <benj...@python.org>" 1 neue Signatur
> gpg: Schlüssel A74B06BF: "Barry Warsaw <ba...@warsaw.us>" 138 neue Signaturen
> gpg: Schlüssel EA5BBD71: "Barry A. Warsaw <ba...@warsaw.us>" 6 neue Signaturen
> gpg: Schlüssel E6DF025C: "Ronald Oussoren <ronaldo...@mac.com>" nicht geändert
> gpg: Schlüssel F73C700D: "Larry Hastings <la...@hastings.org>" 2 neue Signaturen
> gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <n...@python.org>" 1 neue User-ID
> gpg: Schlüssel AA65421D: "Ned Deily (Python release signing key) <n...@python.org>" 20 neue Signaturen

> gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) <steve...@microsoft.com>" 8 neue Signaturen
> gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG langa.pl) <luk...@langa.pl>" importiert
> gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key <mal...@example.org>" importiert
> [...]

Everything's working fine on your end. If you have a closer look, you'll
see that all of the "Totally Legit" keys have key IDs that are identical
to key IDs of actual Python release managers. e.g. in the last line,
EA5BBD71 refers to the key

pub rsa1024 2015-05-22 [C]
801BD5AE93D392E22DDC6C7AFEA3DC6DEA5BBD71
uid [ unknown] Totally Legit Signing Key <mal...@example.org>

but it ALSO refers to the key

pub dsa1024 2005-11-24 [SC]
DBBF2EEBF925FAADCF1F3FFFD9866941EA5BBD71
uid [ unknown] Barry A. Warsaw <ba...@warsaw.us>
uid [ unknown] Barry A. Warsaw <ba...@wooz.org>
uid [ unknown] Barry A. Warsaw <ba...@python.org>
uid [ unknown] Barry A. Warsaw <ba...@canonical.com>
uid [ unknown] Barry Warsaw (GNU Mailman) <ba...@list.org>
uid [ unknown] Barry A. Warsaw <barry....@canonical.com>
sub elg2048 2005-11-24 [E]

The thing is that 32-bit key IDs are not secure and can easily be
cloned. [1]

I imagine that Barry at least knows this, seeing as he apparently cloned
his own old (compromised) key:

pub rsa1024 2014-06-16 [SCEA] [revoked: 2016-08-16]
2C7E264D238159CB07A3C350192720F7EA5BBD71
uid [ revoked] Barry A. Warsaw <ba...@warsaw.us>

What I imagine happened here is that whoever exported the pubkeys.txt
file did so on the basis of 32-bit key IDs. This is not ideal, as it
pulled in bogus keys, but there's no real harm done.

For good measure, I've put this on bpo (36191)

-- Thomas

[1] https://evil32.com/

>
> Now "totally legit" does sound like anything but "totally legit". Is there a

> problem with my machine, or python.org, or is this all "totally legit"?
>

> Advice or pointers welcome.
>
>