Hi Everyone,
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Thanks, Arthur
On Fri, Jun 28, 2019 at 12:44 PM Antoine Beaupré anarcat@torproject.org wrote:
Short update: I was just told that a similar problem has actually occurred with TPO infrastructure, back in February:
https://lists.torproject.org/pipermail/tor-project/2019-February/002194.html
The affected key, at that time, was the deb.torproject.org signing key, which was signed by a key with a large UID. It's a different attack, but that can be mitigated in similar ways. The good key is still available here:
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E88...
... where signatures are also provided so that you do not have to use the key from the keyservers. The key is also available on keys.openpgp.org.
A.
Antoine Beaupré torproject.org system administration _______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project