
Ask HN: Is the Tor Browser Developers GPG Key Attacked or Compromised? - oil25
When trying to download the Tor Browser Developers key to verify the download (as per https:&#x2F;&#x2F;support.torproject.org&#x2F;tbb&#x2F;how-to-verify-signature&#x2F;), two working public key servers I know of return a 24.8 Megabyte file with over 26 million characters:<p>&gt; https:&#x2F;&#x2F;keys.gnupg.net&#x2F;pks&#x2F;lookup?op=get&amp;search=0x4E2C6E8793298290<p>&gt; https:&#x2F;&#x2F;pool.sks-keyservers.net&#x2F;pks&#x2F;lookup?search=0x4E2C6E8793298290&amp;fingerprint=on&amp;op=index<p>Surely this can&#x27;t be right. In fact, I&#x27;m worried about even trying to import them into GPG. Has someone vandalized or otherwise broken the signing keys?
======
bigiain
Probably related to this:

[https://nakedsecurity.sophos.com/2019/07/05/openpgp-
experts-...](https://nakedsecurity.sophos.com/2019/07/05/openpgp-experts-
targeted-by-long-feared-poisoning-attack/)

[https://www.zdnet.com/article/openpgp-flooded-with-spam-
by-u...](https://www.zdnet.com/article/openpgp-flooded-with-spam-by-unknown-
hackers/)

I'm sure I read in that last day or two about software updates to mitigate
against this, but I can't find anything now.

There is a 2 day old release of GnuPG available - which isn't described on
their release notes page (yet?):

[https://gnupg.org/download/index.html](https://gnupg.org/download/index.html)

