[tor-project] Problems fetching Debian package archive signing key (0xEE8CBC9E886DDD89)
Jonathan Marquardt
mail at parckwart.de
Fri Feb 1 10:00:41 UTC 2019
On Thu, Jan 31, 2019 at 11:47:09PM +0000, Matthew Finkel wrote:
> Someone reported difficulty with retrieving 0xEE8CBC9E886DDD89 from the
> key servers. It seems this is only affecting some of the keyservers
> (but I don't know which ones because load-balancing).
>
> I was able to reproduce it, but not consistently.
>
> $ gpg --recv-key A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> gpg: packet(13) too large
> gpg: read_block: read error: Invalid packet
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
>
> This error seems suspiciously similar to this sks-keyserver bug[0].
Yes, it seems like it's the the same issue. Someone made an extremely huge key
(about 2 MiB in size) with he id 0x4F3F50786C401DCE that has a whole bunch of
binary data as its uid.
As a workaround in the meantime until this is fixed, if someone needs the
package signing key right now, I uploaded a backup to my website:
https://www.parckwart.de/files/nuclear_waste/tor_deb_archive_signing_key.asc
http://45tbhx5prlejzjgn36nqaxqb6qnm73pbohuvqkpxz2zowh57bxqawkid.onion/files/nuclear_waste/tor_deb_archive_signing_key.asc
Of cource, you shouldn't simply trust the key I give you, but check its
validity. It has most of the signatures, like arma's for example, as I
downloaded it from an SKS keyserver about a week ago.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20190201/071491c8/attachment.sig>
More information about the tor-project
mailing list