[tor-project] Problems fetching Debian package archive signing key (0xEE8CBC9E886DDD89)

Jonathan Marquardt mail at parckwart.de
Fri Feb 1 10:00:41 UTC 2019

On Thu, Jan 31, 2019 at 11:47:09PM +0000, Matthew Finkel wrote:
> Someone reported difficulty with retrieving 0xEE8CBC9E886DDD89 from the
> key servers. It seems this is only affecting some of the keyservers
> (but I don't know which ones because load-balancing).
> I was able to reproduce it, but not consistently.
> $ gpg --recv-key A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> gpg: packet(13) too large
> gpg: read_block: read error: Invalid packet
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
> This error seems suspiciously similar to this sks-keyserver bug[0].

Yes, it seems like it's the the same issue. Someone made an extremely huge key 
(about 2 MiB in size) with he id 0x4F3F50786C401DCE that has a whole bunch of 
binary data as its uid.

As a workaround in the meantime until this is fixed, if someone needs the 
package signing key right now, I uploaded a backup to my website:


Of cource, you shouldn't simply trust the key I give you, but check its 
validity. It has most of the signatures, like arma's for example, as I 
downloaded it from an SKS keyserver about a week ago.
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20190201/071491c8/attachment.sig>

More information about the tor-project mailing list