On 7/2/19 18:31, Arthur D. Edelstein wrote:
Hi Everyone,
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Thanks, Arthur
In case it's helpful, I've cleaned the Tor Browser signing key of the poison signatures and put it up here[0] for the time being.
People[1] are attempting to download the poisoned key and experiencing issues. The instructions[2] on Tor's website that they are following still tells people to use the key server pool with poisoned keys. These should probably be updated ASAP.
Let's please do something about this.
Matt
PS I figured out my GnuPG issues and how to fix them following these[3] instructions.
[0]: https://demos.traudt.xyz/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.asc [1]: https://redd.it/cgbza2 [2]: https://2019.www.torproject.org/docs/verifying-signatures.html.en [3]: https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certific...