Ask HN: Is the Tor Browser Developers GPG Key Attacked or Compromised?
When trying to download the Tor Browser Developers key to verify the download (as per https://support.torproject.org/tbb/how-to-verify-signature/), two working public key servers I know of return a 24.8 Megabyte file with over 26 million characters:
> https://keys.gnupg.net/pks/lookup?op=get&search=0x4E2C6E8793298290
> https://pool.sks-keyservers.net/pks/lookup?search=0x4E2C6E8793298290&fingerprint=on&op=index
Surely this can't be right. In fact, I'm worried about even trying to import them into GPG. Has someone vandalized or otherwise broken the signing keys?
1 comment
[ 2.5 ms ] story [ 15.9 ms ] threadhttps://nakedsecurity.sophos.com/2019/07/05/openpgp-experts-...
https://www.zdnet.com/article/openpgp-flooded-with-spam-by-u...
I'm sure I read in that last day or two about software updates to mitigate against this, but I can't find anything now.
There is a 2 day old release of GnuPG available - which isn't described on their release notes page (yet?):
https://gnupg.org/download/index.html