Where can I get a copy of the GPG/PGP public key
that was used to sign the Python installation files?
The key fingerprint is "FC624643487034E5"
. (gpg --verify python-3.8.0-amd64.exe.asc python-3.8.0-amd64.exe)
I searched for multiple key stores like MIT , Ubuntu , and others.
The signature is there with the download .
This is the signature .
There are many .asc
signature files. Somebody should upload the key to a mainline key server, or the signatures are worthless. https://www.python.org/ftp/python/3.8.0/
RedHat, for example, publishes their security team keys: https://access.redhat.com/security/team/key/
It's probably overkilling to verify signatures, but the supply-chain attack is real. Look at what happened to Android: https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/
Thank you...
You can find the public keys for Python release binaries here: Download Python | Python.org , look for the OpenPGP Public Keys
section.
The specific key you're looking at ( FC624643487034E5
) belongs to Steve Dower, who's associated with Windows binary releases. Here's a direct link to Steve's public key hosted on keybase.io
: 7ed10b6531d7c8e1bc296021fc624643487034e5
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.