undefined | Better HN

0 pointswoodruffw3y ago0 comments

> they are not worse than having no traceability of the package at all between the author and PyPI.

Except that they are: PGP does not give you this kind of identity relationship. The most it can give you is an association to a key ID, which is (1) brute-forceable, and (2) not strongly bound to any actual user or machine identity.

The only thing worse than an unsecured scheme is an insecure scheme that lulls users into a false sense of security and authenticity. PGP signatures on PyPI are the latter.

0 comments

3 comments · 1 top-level

upofadown3y ago· 2 in thread

>The most it can give you is an association to a key ID, which is (1) brute-forceable

This is false. That would mean brute forcing a 160 bit SHA-1 hash. That is not possible.

woodruffwOP3y ago

This is wrong on every conceivable level:

1. Key IDs are 32-bit truncations of the SHA-1 hash. That means 32 bits of state, not 160. Fake key IDs are observable in the wild[1].

2. You're confusing pre-image resistance with collision resistance. SHA-1 has been publicly vulnerable to practical collision attacks since 2017[2].

[1]: https://www.phoronix.com/news/Short-PGP-Collision-Attacks

[2]: https://shattered.io/

upofadown3y ago

OK, you are talking about the 64 bit keyID. The 32 bit keyIDs are no longer used for the reason you state.

Shattered is about SHA-1 use in key signatures. It has nothing to do with keyIDs.

j / k navigate · click thread line to collapse