Antonio Diaz Diaz wrote: > Drew Einhorn wrote: > > You should probably add a link to the correct signing key to the ddrescue > > page. > > At the very least I'll include the full key fingerprint in the announcements > from now on. Thanks.
*Everyone* in the key server list has a key with a colliding 32-bit fingerprint and hopefully all of those are revoked. Here is some background. Every key in the keyservers have a colliding 32-bit key fingerprint due to some work by security researchers wanting to prove that 32-bits was insufficient to identify keys. The original researchers created a 32-bit fingerprint collision for every key. And this was subsequently uploaded to the keyservers! https://evil32.com/ Someone downloaded our copy of the strong set and uploaded all of the keys to the SKS keyserver network. :( While we took on this project to help prompt GPG to build a more secure ecosystem, this mass clone made the keyservers harder for everyone to use. Of course anyone could use our tools to regenerate their own strong set clone and do this again, but we'd rather our keys not be used that way. Before the above was widely known someone saw this in the wild. This triggered quite a firestorm in the community. Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs. https://lkml.org/lkml/2016/8/15/445 A comment on this social news site from one of the evil32 authors where they say they revoked all of the keys and give some additional information. evil32 author revokes fake keys https://news.ycombinator.com/item?id=12296974 And more discussion if you want to keep going with it. https://lwn.net/Articles/689792/ Hope this helps explain the background on those revoked keys with colliding 32-bit fingerprints. Bob _______________________________________________ Bug-ddrescue mailing list Bug-ddrescue@gnu.org https://lists.gnu.org/mailman/listinfo/bug-ddrescue