torproject.org TBB verification instructions - "poisoned" public key
The instructions on torproject.org for verifying the TOR Browser Bundle don't really work anymore, due to a "key poisoning" attack on the signing key located on the keyserver. I came across this by downloading the TBB and the signature, and then trying to import the public key (on a new machine that doesn't already have it) so I can verify it, only to find out that I couldn't.
Affected page: https://support.torproject.org/tbb/how-to-verify-signature/ Relevant mailing list post: https://lists.torproject.org/pipermail/tor-project/2019-July/002384.html Description of attack: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Trac:
Username: lofenyy