[tor-dev] Public Key Chaos
thomas.hluchnik at netcologne.de
thomas.hluchnik at netcologne.de
Wed Jan 10 10:10:52 UTC 2018
Hello all,
I am just going to update my tor server, building packages from source. I do that not only for tor but also for libevent. So I downloaded the tarballs plus signature from libevent.org and that's what I found:
$ gpg --verify libevent-2.0.22-stable.tar.gz.asc
gpg: Signature made Mon Jan 5 16:16:20 2015 CET using RSA key ID 8D29319A
gpg: Good signature from "Nick Mathewson <nickm at alum.mit.edu>"
gpg: aka "Nick Mathewson <nickm at wangafu.net>"
gpg: aka "Nick Mathewson <nickm at freehaven.net>"
gpg: aka "[jpeg image of size 3369]"
$ gpg --verify libevent-2.1.8-stable.tar.gz.asc
gpg: Signature made Sun Jan 29 19:42:03 2017 CET using RSA key ID 8EF8686D
gpg: Good signature from "Azat Khuzhin <a3at.mail at gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9E3A C83A 2797 4B84 D1B3 401D B860 8684 8EF8 686D
$ gpg --list-sigs "Azat Khuzhin"
pub 2048R/8EF8686D 2010-06-10
uid Azat Khuzhin <a3at.mail at gmail.com>
sig 3 8EF8686D 2010-06-10 Azat Khuzhin <a3at.mail at gmail.com>
sub 2048R/7A34F923 2010-06-10
sig 8EF8686D 2010-06-10 Azat Khuzhin <a3at.mail at gmail.com>
While nickm at alum.mit.edu was signed by many, many people, I find no signature for "Azat Khuzhin <a3at.mail at gmail.com>" at all. How can I trust that key? How can I be sure that libevent 2.1.8 is a good package? Why has Azat Khuzhin public key no signature from Nick Mathewson or anyone else? I don't trust that package for now until I find it signed with the keys of at least Nick Mathewson and Niels Provos.
Correct me if I a wrong.
Best Regards, Thomas
More information about the tor-dev
mailing list