1. PyPA
  2. Python Packaging Authority Projects
  3. pypi

Issues

Issue #76 wontfix

pypi register page forces insecure 8 char PGP key ID

Hans-Christoph Steiner
created an issue

I just signed up for an account on pypi to upload my python projects. Its a great site, and I've been happy to see pypi start to take security seriously. I was happy to see that the registration procedure included a spot to put my PGP key ID. Unfortunately, when I put in my 16 char key ID, it told me that it wasn't supported. When I put in the last 8 chars, then it worked.

The problem is that 8 char key IDs are easily spoofable. Ideally, pypi would request at least 16 chars. It should definitely allow 16 chars, and not force the insecure 8 char standard.

For more on this topic, including how to generate a PGP that matches any 8 char key ID: http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html

Comments (10)

  1. Donald Stufft

    So this is correct, but I've not been very concerned about it because to my knowledge nothing actually uses those keys. I'm working on a PyPI 2.0 and this is one of the things I plan on fixing in that.

  2. Robert Buchholz

    If it's not used for anything, then just remove it. There's no use in collecting 32 bit key IDs. It only gives the impression of it being used for improved security when it is not.

  3. Log in to comment