Skip to content

stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org

Quote (bold not added by me)

High-risk users should stop using the keyserver network immediately.

Originator of quote, again quoting directly:

Robert J. Hansen rjh@sixdemonbag.org. I maintain the GnuPG FAQ and unofficially hold the position of crisis communicator. This is not an official statement of the GnuPG project, but does come from someone with commit access to the GnuPG git repo.

See also: https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html

Other reasons:

  • Apart from this, keyservers have been unreliable for a long time now. This alone is a reason for at least providing an optional download of public keys.
  • While https://support.torproject.org/tbb/how-to-verify-signature/ can be viewed in Tor Browser, doing networking outside of Tor Browser (gpg --recv-keys) is non-trivial to do torified. Also for that reason it would be better if users could get both, the information how to verify and the gpg public key from the same source.