Tor Project crypto signatures will deceive with 32-bit key ids
This page has key ids that are too short.
There are people impersonating GPG releasers in keyservers, and relying on ability to create keys that collide in lower 32 bits.. For instance, if someone takes the Nick key id 0x165733EA, that will fetch these keys from keyservers:
And someone fake a source download.
Or Roger's 0x28988BF5 will get
or 0x19F78451 will get
The signatures page should never list any 32 bit values. Only have full fingerprints, or use the 64-bit long ids or longer.