@@ -96,30 +96,35 @@ severity, advisory text, and fixes.
9696Handling code signing certificate reports
9797-----------------------------------------
9898
99- Python signs binaries using Azure Trusted Signing and Apple Developer ID certificates.
100- If a code signing certificate is reported as "compromised" or "malware signed with certificate",
101- the Python Security Response Team must request the following information from the reporter:
99+ Python signs binaries using Azure Trusted Signing and Apple Developer ID
100+ certificates. If a code signing certificate is reported as "compromised" or
101+ "malware signed with certificate", the Python Security Response Team must
102+ request the following information from the reporter:
102103
103104* Checksum(s) of binaries signed by certificate.
104105* Signature(s) of binaries signed by certificate.
105106
106- To avoid unnecessary user confusion and churn around revoking code signing certificates,
107- any reports **must be verifiable independently by the PSRT before taking destructive
108- actions **, such as revoking certificates. With this information the PSRT can
109- take investigative steps to verify the report, such as:
110-
111- * Downloading and checking artifacts from the associated Azure Pipelines executions
112- against the reported list of checksums.
113- * Verifying the validity of the signatures. `Past reports <https://discuss.python.org/t/103356/2 >`__
114- have contained signatures that purported to be from Python code signing certificates, but were not valid.
115- * Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise.
116-
117- If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only
118- then will certificates be revoked and an advisory published.
119- If compromise is reported, the following non-destructive actions can be taken by the PSRT without
120- verifying the reported information as a precaution, if relevant:
121-
122- * Rotating secrets associated with code signing (``TrustedSigningSecret `` for Azure Trusted Publishing).
107+ To avoid unnecessary user confusion and churn around revoking code signing
108+ certificates, any reports **must be verifiable independently by the PSRT before
109+ taking destructive actions **, such as revoking certificates. With this
110+ information the PSRT can take investigative steps to verify the report, such as:
111+
112+ * Downloading and checking artifacts from the associated Azure Pipelines
113+ executions against the reported list of checksums.
114+ * Verifying the validity of the signatures. `Past reports
115+ <https://discuss.python.org/t/103356/2> `__ have contained signatures that
116+ purported to be from Python code signing certificates, but were not valid.
117+ * Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of
118+ compromise.
119+
120+ If any signs of compromise or incorrectly signed binaries are discovered by the
121+ PSRT, only then will certificates be revoked and an advisory published.
122+ If compromise is reported, the following non-destructive actions can be taken by
123+ the PSRT without verifying the reported information as a precaution, if
124+ relevant:
125+
126+ * Rotating secrets associated with code signing (``TrustedSigningSecret `` for
127+ Azure Trusted Publishing).
123128* Resetting passwords for accounts with access to signing certificates.
124129
125130Template responses
0 commit comments