Ask HN: Is the Tor Browser Developers GPG Key Attacked or Compromised?

4 points by oil25 ↗ HN
When trying to download the Tor Browser Developers key to verify the download (as per https://support.torproject.org/tbb/how-to-verify-signature/), two working public key servers I know of return a 24.8 Megabyte file with over 26 million characters:

> https://keys.gnupg.net/pks/lookup?op=get&search=0x4E2C6E8793298290

> https://pool.sks-keyservers.net/pks/lookup?search=0x4E2C6E8793298290&fingerprint=on&op=index

Surely this can't be right. In fact, I'm worried about even trying to import them into GPG. Has someone vandalized or otherwise broken the signing keys?

1 comment

[ 2.5 ms ] story [ 15.9 ms ] thread