From 298c48c9989af2fc2a5549ff0dacb94203ae4b62 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 8 Sep 2025 14:48:51 -0500 Subject: [PATCH 1/5] Add runbook for code signing certificate reports to PSRT --- developer-workflow/psrt.rst | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 9d9019dbf..92ef9a2bb 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -93,6 +93,35 @@ severity, advisory text, and fixes. to ``security-announce@python.org`` using the below template. Backport labels must be added as appropriate. After the advisory is published a CVE record can be created. +Handling code signing certificate reports +----------------------------------------- + +Python signs binaries using Azure Trusted Signing and Apple Developer ID certificates. +If a code signing certificate is reported as "compromised" or "malware signed with certificate", +the Python Security Response Team must request the following information from the reporter: + +* Checksum(s) of binaries signed by certificate. +* Signature(s) of binaries signed by ceritificate. + +To avoid unnecessary user confusion and churn around revoking code signing certificates, +any reports **must be verifiable independently by the PSRT before taking destructive +actions**, such as revoking certificates. With this information the PSRT can +take investigative steps to verify the report, such as: + +* Downloading and checking artifacts from the associated Azure Pipelines executions + against the reported list of checksums. +* Verifying the validity of the signatures. `Past reports `__ + have contained signatures that proported to be from Python code signing ceritificates, but were not valid. +* Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise. + +If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only +will certificates be revoked and an advisory published. +If compromise is reported, the following non-destructive actions can be taken by the PSRT without +verifying the reported information as a precaution, if relevant: + +* Rotating secrets associated with code signing (``TrustedSigningSecret`` for Azure Trusted Publishing) +* Resetting passwords for accounts with access to signing certificates. + Template responses ------------------ From 96e381d43043dc030605fb8a20e635a07f196717 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 8 Sep 2025 20:44:21 +0000 Subject: [PATCH 2/5] Fix the typos! Co-authored-by: Steve Dower --- developer-workflow/psrt.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 92ef9a2bb..09022a99a 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -111,7 +111,7 @@ take investigative steps to verify the report, such as: * Downloading and checking artifacts from the associated Azure Pipelines executions against the reported list of checksums. * Verifying the validity of the signatures. `Past reports `__ - have contained signatures that proported to be from Python code signing ceritificates, but were not valid. + have contained signatures that purported to be from Python code signing certificates, but were not valid. * Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise. If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only From feb9e2749c07700144b8ae963894a85718aadc36 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Tue, 9 Sep 2025 07:34:35 -0500 Subject: [PATCH 3/5] Apply suggestions from code review Co-authored-by: Ezio Melotti Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- developer-workflow/psrt.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 09022a99a..1ae34aac3 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -101,7 +101,7 @@ If a code signing certificate is reported as "compromised" or "malware signed wi the Python Security Response Team must request the following information from the reporter: * Checksum(s) of binaries signed by certificate. -* Signature(s) of binaries signed by ceritificate. +* Signature(s) of binaries signed by certificate. To avoid unnecessary user confusion and churn around revoking code signing certificates, any reports **must be verifiable independently by the PSRT before taking destructive @@ -115,11 +115,11 @@ take investigative steps to verify the report, such as: * Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise. If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only -will certificates be revoked and an advisory published. +then will certificates be revoked and an advisory published. If compromise is reported, the following non-destructive actions can be taken by the PSRT without verifying the reported information as a precaution, if relevant: -* Rotating secrets associated with code signing (``TrustedSigningSecret`` for Azure Trusted Publishing) +* Rotating secrets associated with code signing (``TrustedSigningSecret`` for Azure Trusted Publishing). * Resetting passwords for accounts with access to signing certificates. Template responses From 5dfdd5b95b8e2e5655de82ddb7d70052c2cf30e4 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Tue, 9 Sep 2025 07:46:39 -0500 Subject: [PATCH 4/5] Shorten DPO URL Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- developer-workflow/psrt.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 1ae34aac3..82a5ff9cd 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -110,7 +110,7 @@ take investigative steps to verify the report, such as: * Downloading and checking artifacts from the associated Azure Pipelines executions against the reported list of checksums. -* Verifying the validity of the signatures. `Past reports `__ +* Verifying the validity of the signatures. `Past reports `__ have contained signatures that purported to be from Python code signing certificates, but were not valid. * Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise. From c626db5259d48b005614adb8b223bac9a6363962 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Tue, 30 Sep 2025 15:35:09 +0300 Subject: [PATCH 5/5] Rewrap --- developer-workflow/psrt.rst | 45 ++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/developer-workflow/psrt.rst b/developer-workflow/psrt.rst index 82a5ff9cd..cf5acd2b7 100644 --- a/developer-workflow/psrt.rst +++ b/developer-workflow/psrt.rst @@ -96,30 +96,35 @@ severity, advisory text, and fixes. Handling code signing certificate reports ----------------------------------------- -Python signs binaries using Azure Trusted Signing and Apple Developer ID certificates. -If a code signing certificate is reported as "compromised" or "malware signed with certificate", -the Python Security Response Team must request the following information from the reporter: +Python signs binaries using Azure Trusted Signing and Apple Developer ID +certificates. If a code signing certificate is reported as "compromised" or +"malware signed with certificate", the Python Security Response Team must +request the following information from the reporter: * Checksum(s) of binaries signed by certificate. * Signature(s) of binaries signed by certificate. -To avoid unnecessary user confusion and churn around revoking code signing certificates, -any reports **must be verifiable independently by the PSRT before taking destructive -actions**, such as revoking certificates. With this information the PSRT can -take investigative steps to verify the report, such as: - -* Downloading and checking artifacts from the associated Azure Pipelines executions - against the reported list of checksums. -* Verifying the validity of the signatures. `Past reports `__ - have contained signatures that purported to be from Python code signing certificates, but were not valid. -* Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise. - -If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only -then will certificates be revoked and an advisory published. -If compromise is reported, the following non-destructive actions can be taken by the PSRT without -verifying the reported information as a precaution, if relevant: - -* Rotating secrets associated with code signing (``TrustedSigningSecret`` for Azure Trusted Publishing). +To avoid unnecessary user confusion and churn around revoking code signing +certificates, any reports **must be verifiable independently by the PSRT before +taking destructive actions**, such as revoking certificates. With this +information the PSRT can take investigative steps to verify the report, such as: + +* Downloading and checking artifacts from the associated Azure Pipelines + executions against the reported list of checksums. +* Verifying the validity of the signatures. `Past reports + `__ have contained signatures that + purported to be from Python code signing certificates, but were not valid. +* Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of + compromise. + +If any signs of compromise or incorrectly signed binaries are discovered by the +PSRT, only then will certificates be revoked and an advisory published. +If compromise is reported, the following non-destructive actions can be taken by +the PSRT without verifying the reported information as a precaution, if +relevant: + +* Rotating secrets associated with code signing (``TrustedSigningSecret`` for + Azure Trusted Publishing). * Resetting passwords for accounts with access to signing certificates. Template responses