Skip to content

Add runbook for code signing certificate reports to PSRT #1651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 30, 2025
Merged

Add runbook for code signing certificate reports to PSRT #1651

Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
298c48c
Add runbook for code signing certificate reports to PSRT
sethmlarson Sep 8, 2025
96e381d
Fix the typos!
sethmlarson Sep 8, 2025
feb9e27
Apply suggestions from code review
sethmlarson Sep 9, 2025
5dfdd5b
Shorten DPO URL
sethmlarson Sep 9, 2025
d38fcbd
Merge branch 'main' into windows-certificate-revocation-criteria
sethmlarson Sep 22, 2025
c626db5
Rewrap
hugovk Sep 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions developer-workflow/psrt.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,35 @@ severity, advisory text, and fixes.
to ``[email protected]`` using the below template. Backport labels must be added as appropriate.
After the advisory is published a CVE record can be created.

Handling code signing certificate reports
-----------------------------------------

Python signs binaries using Azure Trusted Signing and Apple Developer ID certificates.
If a code signing certificate is reported as "compromised" or "malware signed with certificate",
the Python Security Response Team must request the following information from the reporter:

* Checksum(s) of binaries signed by certificate.
* Signature(s) of binaries signed by certificate.

To avoid unnecessary user confusion and churn around revoking code signing certificates,
any reports **must be verifiable independently by the PSRT before taking destructive
actions**, such as revoking certificates. With this information the PSRT can
take investigative steps to verify the report, such as:

* Downloading and checking artifacts from the associated Azure Pipelines executions
against the reported list of checksums.
* Verifying the validity of the signatures. `Past reports <https://discuss.python.org/t/windows-code-signing-certificates-for-python-3-12-8-3-13-1-revoked/103356/2>`__
have contained signatures that purported to be from Python code signing certificates, but were not valid.
* Checking the Azure Pipelines and Azure Trusted Signing audit logs for signs of compromise.

If any signs of compromise or incorrectly signed binaries are discovered by the PSRT, only
then will certificates be revoked and an advisory published.
If compromise is reported, the following non-destructive actions can be taken by the PSRT without
verifying the reported information as a precaution, if relevant:

* Rotating secrets associated with code signing (``TrustedSigningSecret`` for Azure Trusted Publishing).
* Resetting passwords for accounts with access to signing certificates.

Template responses
------------------

Expand Down
Loading