Hi,
On 3 Jul 2019, at 02:31, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Here's how you can mitigate the attack in your local GPG config: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigation...
Here's how you can check your keyring for broken keys: https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332 (You'll also need to do a sort -n and look for keys with a large number of signatures: 150,000 is the SKS limit, 100-1000 is typical.)
There doesn't seem to be any easy way to fix the SKS servers themselves.
T