-
-
Notifications
You must be signed in to change notification settings - Fork 925
Add runbook for code signing certificate reports to PSRT #1651
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
hugovk
merged 6 commits into
python:main
from
sethmlarson:windows-certificate-revocation-criteria
Sep 30, 2025
Merged
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
298c48c
Add runbook for code signing certificate reports to PSRT
sethmlarson 96e381d
Fix the typos!
sethmlarson feb9e27
Apply suggestions from code review
sethmlarson 5dfdd5b
Shorten DPO URL
sethmlarson d38fcbd
Merge branch 'main' into windows-certificate-revocation-criteria
sethmlarson c626db5
Rewrap
hugovk File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -93,6 +93,35 @@ severity, advisory text, and fixes. | |
| to ``[email protected]`` using the below template. Backport labels must be added as appropriate. | ||
| After the advisory is published a CVE record can be created. | ||
|
|
||
| Handling code signing certificate reports | ||
| ----------------------------------------- | ||
|
|
||
| Python signs binaries using Azure Trusted Signing and Apple Developer ID certificates. | ||
| If a code signing certificate is reported as "compromised" or "malware signed with certificate", | ||
| the Python Security Response Team must request the following information from the reporter: | ||
|
|
||
| * Checksum(s) of binaries signed by certificate. | ||
| * Signature(s) of binaries signed by ceritificate. | ||
|
|
||
| To avoid unnecessary user confusion and churn around revoking code signing certificates, | ||
| any reports **must be verifiable independently by the PSRT before taking destructive | ||
| actions**, such as revoking certificates. With this information the PSRT can | ||
| take investigative steps to verify the report, such as: | ||
|
|
||
| * Downloading and checking artifacts from the associated Azure Pipelines executions | ||
| against the reported list of checksums. | ||
| * Verifying the validity of the signatures. `Past reports <https://discuss.python.org/t/windows-code-signing-certificates-for-python-3-12-8-3-13-1-revoked/103356/2>`__ | ||
sethmlarson marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| have contained signatures that purported to be from Python code signing certificates, but were not valid. | ||
| * Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise. | ||
|
|
||
| If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only | ||
| will certificates be revoked and an advisory published. | ||
sethmlarson marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| If compromise is reported, the following non-destructive actions can be taken by the PSRT without | ||
| verifying the reported information as a precaution, if relevant: | ||
|
|
||
| * Rotating secrets associated with code signing (``TrustedSigningSecret`` for Azure Trusted Publishing) | ||
sethmlarson marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| * Resetting passwords for accounts with access to signing certificates. | ||
|
|
||
| Template responses | ||
| ------------------ | ||
|
|
||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.