Yes, there is now a "fake" short fingerprint for my kernel signing key out there on the key servers, and yes, it's not really mine, and yes, we know who did it, and yes, it's revoked, and no, it wasn't just targeted at kernel developers, but at all 24000 keys in the "strong" ring of PGP trust, and yes something like this has been possible for a very long time now so it's not really that much news, and yes, gpg really is horrible to use and almost impossible to use correctly.

See the top comment here for more details:
https://news.ycombinator.com/item?id=12296974

And of course, read the evil32.com site for loads of details.

I guess I should be happy that people are checking the signature of my kernel releases, and emailing me that something is "wrong" on their system, that's nice to see. Too bad their scripts are "wrong" as they pull in all keys with a possible 32bit signature and things go boom.

Short answer, always use "long" keys when using gpg, and never auto-refresh keys from the keyservers.
Shared publiclyView activity