<div dir="ltr">Be sure to check by long key-id, not short key id... I have this set as my default in my gpg.conf. The dump of vulnerable fingerprints is a long-known issue for those that ran SKS key servers. If you look closer you'll find that the key that was revoked was actually not yours exactly but one made to look like yours by short key-id collision.<div><br></div><div>At a minimum I highly recommend adding the following to your gpg.conf:</div><div>keyid-format 0xlong<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 30, 2021 at 12:19 PM Charles Shapiro via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I've been preparing for a gpg key signing party at work. On checking<br>
my personal gpg key on , I discovered that it had been Revoked:<br>
<br>
pub unk(#0)0/a4a66548382d0f35f394881fefc2dfb41df36586<br>
Hash=c191ea816aea760f17bb30226e67a5bf<br>
sig revok efc2dfb41df36586 2016-08-16T05:12:19Z ____________________<br>
____________________ [selfsig]<br>
<br>
I had no memory of doing this, so I investigated further. I was<br>
particularly intrigued by the "2016-08-16T05:12:19Z" timestamp. I<br>
don't do things like revoke my keys at midnight or so local.<br>
<br>
It turns out that someone had figured out a hash collision attack on<br>
32-bit key fingerprints back in 2016, then published a list of all<br>
the vulnerable fingerprints. The list is 89 mb long and is still<br>
available ( <a href="https://evil32.com/" rel="noreferrer" target="_blank">https://evil32.com/</a> ). I downloaded it and verified that,<br>
alas, 1DF36586 was on that list. My wife's key ( B4E4FC10) was not.<br>
Someone _else_ then went ahead and Revoked every key on it, including<br>
mine but not my wife's.<br>
<br>
So now I need to generate a whole new key and get it signed by a bunch<br>
of people. I'm going to use this tragedy//opportunity to update the<br>
GPG Simple How To still available on the ALE site (<br>
<a href="https://ale.org/static_pages/gpgstepbystep.html" rel="noreferrer" target="_blank">https://ale.org/static_pages/gpgstepbystep.html</a> ) (and still very<br>
close to a Web Whack ( or Hapax Legomenon ) if you search for<br>
"Millicent Arondofique" ! )<br>
<br>
Check your own keys and see if any of them were also Revoked without<br>
your knowledge.<br>
<br>
It's time for another ALE key signing party.<br>
<br>
-- CHS<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>