Hi,

On 3 Jul 2019, at 02:31, Arthur D. Edelstein <arthuredelstein@gmail.com> wrote:

Someone pointed me to the following post by Robert J Hansen:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Below that post, there are a couple of comments indicating that at
least two of Tor's signing keys listed in
https://2019.www.torproject.org/docs/signing-keys.html.en
have been poisoned by this attack, including the Tor Browser
Developers key and Tor Project Archive key. We're wondering if all of
the keys on that page have been affected. (I haven't had a chance to
learn about this attack or how to check other keys, but I wanted to
share this ASAP.)

Here's how you can mitigate the attack in your local GPG config:
  1. Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
  2. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#mitigations

Here's how you can check your keyring for broken keys:
https://gist.github.com/Disasm/dc44684b1f2aa76cd5fbd25ffeea7332
(You'll also need to do a sort -n and look for keys with a large number of
signatures: 150,000 is the SKS limit, 100-1000 is typical.)

There doesn't seem to be any easy way to fix the SKS servers themselves.

T