← Back to context

Comment by woodruffw

1 year ago

> they are not worse than having no traceability of the package at all between the author and PyPI.

Except that they are: PGP does not give you this kind of identity relationship. The most it can give you is an association to a key ID, which is (1) brute-forceable, and (2) not strongly bound to any actual user or machine identity.

The only thing worse than an unsecured scheme is an insecure scheme that lulls users into a false sense of security and authenticity. PGP signatures on PyPI are the latter.

3 comments

woodruffw

Reply
upofadown  1 year ago

>The most it can give you is an association to a key ID, which is (1) brute-forceable

This is false. That would mean brute forcing a 160 bit SHA-1 hash. That is not possible.

  • woodruffw  1 year ago

    This is wrong on every conceivable level:

    1. Key IDs are 32-bit truncations of the SHA-1 hash. That means 32 bits of state, not 160. Fake key IDs are observable in the wild[1].

    2. You're confusing pre-image resistance with collision resistance. SHA-1 has been publicly vulnerable to practical collision attacks since 2017[2].

    [1]: https://www.phoronix.com/news/Short-PGP-Collision-Attacks

    [2]: https://shattered.io/

    • upofadown  1 year ago

      OK, you are talking about the 64 bit keyID. The 32 bit keyIDs are no longer used for the reason you state.

      Shattered is about SHA-1 use in key signatures. It has nothing to do with keyIDs.