You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: developer-workflow/psrt.rst
+29Lines changed: 29 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -93,6 +93,35 @@ severity, advisory text, and fixes.
93
93
to ``security-announce@python.org`` using the below template. Backport labels must be added as appropriate.
94
94
After the advisory is published a CVE record can be created.
95
95
96
+
Handling code signing certificate reports
97
+
-----------------------------------------
98
+
99
+
Python signs binaries using Azure Trusted Signing and Apple Developer ID certificates.
100
+
If a code signing certificate is reported as "compromised" or "malware signed with certificate",
101
+
the Python Security Response Team must request the following information from the reporter:
102
+
103
+
* Checksum(s) of binaries signed by certificate.
104
+
* Signature(s) of binaries signed by ceritificate.
105
+
106
+
To avoid unnecessary user confusion and churn around revoking code signing certificates,
107
+
any reports **must be verifiable independently by the PSRT before taking destructive
108
+
actions**, such as revoking certificates. With this information the PSRT can
109
+
take investigative steps to verify the report, such as:
110
+
111
+
* Downloading and checking artifacts from the associated Azure Pipelines executions
112
+
against the reported list of checksums.
113
+
* Verifying the validity of the signatures. `Past reports <https://discuss.python.org/t/windows-code-signing-certificates-for-python-3-12-8-3-13-1-revoked/103356/2>`__
114
+
have contained signatures that proported to be from Python code signing ceritificates, but were not valid.
115
+
* Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise.
116
+
117
+
If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only
118
+
will certificates be revoked and an advisory published.
119
+
If compromise is reported, the following non-destructive actions can be taken by the PSRT without
120
+
verifying the reported information as a precaution, if relevant:
121
+
122
+
* Rotating secrets associated with code signing (``TrustedSigningSecret`` for Azure Trusted Publishing)
123
+
* Resetting passwords for accounts with access to signing certificates.
0 commit comments