On Tue, Mar 5, 2019 at 9:06 AM Ben Finney <ben+pyt...@benfinney.id.au> wrote: > > Peter Otten <__pete...@web.de> writes: > > > $ gpg --import pubkeys.txt > > […] > > gpg: Schlüssel 487034E5: "Steve Dower (Python Release Signing) > > <steve.do...@microsoft.com>" 8 neue Signaturen > > gpg: Schlüssel 10250568: Öffentlicher Schlüssel "Łukasz Langa (GPG > > langa.pl) <luk...@langa.pl>" importiert > > gpg: Schlüssel 487034E5: Öffentlicher Schlüssel "Totally Legit Signing Key > > <mall...@example.org>" importiert > > gpg: Schlüssel F73C700D: Öffentlicher Schlüssel "Totally Legit Signing Key > > <mall...@example.org>" importiert > > gpg: Schlüssel 6F5E1540: Öffentlicher Schlüssel "Totally Legit Signing Key > > <mall...@example.org>" importiert > > gpg: Schlüssel AA65421D: Öffentlicher Schlüssel "Totally Legit Signing Key > > <mall...@example.org>" importiert > > gpg: Schlüssel E6DF025C: Öffentlicher Schlüssel "Totally Legit Signing Key > > <mall...@example.org>" importiert > > gpg: Schlüssel EA5BBD71: Öffentlicher Schlüssel "Totally Legit Signing Key > > <mall...@example.org>" importiert > > [...] > > > > Now "totally legit" does sound like anything but "totally legit". > > Another clue is in the email address for that key: the ‘example.org’ > domain is guaranteed to never resolve to any machine on the internet.
(More or less - that domain DOES resolve (and has an explanatory web site running on both HTTP and HTTPS), but it's guaranteed never to be anything more significant than an example.) Also of note is that the user portion of the address is "Mallory", a well-known member of the "Alice and Bob" set of names. https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_characters So I would expect these keys to be used for example malicious messages or mis-signed content, to test the recognition of legit signatures. If those keys are included in the pubkeys.txt download, it's minorly wasteful, but not a major problem. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
