Hi, On Wed, Aug 10, 2016 at 12:47:43AM +0200, Samuel Thibault wrote: > As a late follow-up of the gpg key collision thread from debian-private > (but posted on debian-devel, there is nothing private here, I prefer to > see this information publicized actually): > > € gpg --search-key samuel.thibault@gnu.org > ... > (1) Samuel Thibault <samuel.thibault@gnu.org> > 4096 bit RSA key 7D069EE6, created: 2014-06-16 > (2) Samuel Thibault <samuel.thibault@gnu.org> > 4096 bit RSA key 7D069EE6, created: 2010-09-14 > > So somebody *does* try to fake my gpg key too... Looks like somebody uploaded the evil32 (https://evil32.com/) data to public keyservers. $ gpg --search-key 0xC83BFA9A gpg: searching for "0xC83BFA9A" from hkp server pgp.mit.edu (1) Sebastian Reichel <sre@ring0.de> 4096 bit RSA key 0xB19B33F7C83BFA9A, created: 2014-06-16 (2) Sebastian Reichel <sre@ring0.de> Sebastian Reichel <sre@debian.org> ... 4096 bit RSA key 0xD8EED7F3C83BFA9A, created: 2010-10-11 Keys 1-2 of 2 for "0xC83BFA9A". Enter number(s), N)ext, or Q)uit > q $ wget "https://raw.githubusercontent.com/thingless/evil32/gh-pages/cloneset.tar.gz"; $ tar xf cloneset.tar.gz $ gpg --list-packets cloneset/B19B33F7C83BFA9A.pgp :public key packet: version 4, algo 1, created 1402941352, expires 0 pkey[0]: [4096 bits] pkey[1]: [32 bits] keyid: B19B33F7C83BFA9A :user ID packet: "Sebastian Reichel <sre@ring0.de>" :signature packet: algo 1, keyid B19B33F7C83BFA9A version 4, created 1407200484, md5len 0, sigclass 0x13 $ date --date="@1402941352" Mon Jun 16 19:55:52 CEST 2014 $ date --date="@1407200484" Tue Aug 5 03:01:24 CEST 2014 -- Sebastian
Attachment:
signature.asc
Description: PGP signature