On Thu, Jul 13, 2017 at 11:00:01AM -0700, Damian Johnson wrote:
Hi everyone! If you haven't already please check your pgp key on...
https://www.torproject.org/about/corepeople_alternate.html.en
The one I initially pulled from the MIT keyserver for Roger turned out to be a fake. For folks who sent me an attachment with their public key I used that, but for everybody else I simply snagged what I could find. Feel free to shoot me a copy of your public key if you want to be extra sure it's right.
Maybe not too related to this, but it would be great if a similar work was done to the "Verify package signatures" [0] and "Signing keys" [1] pages. Making some integration to db.torproject.org may be too much work, but just reviewing those and using long key ids would be nice.
Among the short key ids in [1] is Roger's and that makes it easy for people to get the fake one by distraction.
P.S. Great work on the people page, Damian!
Thanks, -Felipe
[0]: https://www.torproject.org/docs/verifying-signatures.html.en [1]: https://www.torproject.org/docs/signing-keys.html.en