Invalid third-party certifications in published "deb.torproject.org archive signing key" OpenPGP certificate (A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89)
The "deb.torproject.org archive signing key" OpenPGP certificate published at:
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
Contains at least two certifications that are not cryptographically valid.
In particular, they appear to be duplicates (with invalid values replaced) of certifications from 539C436B82E40BF7 and 7E7D335C5A2D5EC1.
Here's some output from gpg --check-sigs
:
sig! 539C436B82E40BF7 2012-10-14 Neil James Carruthers Paterson (Ignore all previous keys... passphrases destroyed before revokation keys created!) <neelypeel@gmail.com>
sig- 539C436B82E40BF7 2012-10-14 Neil James Carruthers Paterson (Ignore all previous keys... passphrases destroyed before revokation keys created!) <neelypeel@gmail.com>
sig!3 EE8CBC9E886DDD89 2014-08-31 deb.torproject.org archive signing key
sig- 7E7D335C5A2D5EC1 2013-03-28 SmilingWolf <lupo996@gmail.com>
Please consider trimming the certificate to not include invalid third-party certifications.