Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WRX2a-0002zQ-CC for bitcoin-development@lists.sourceforge.net; Sun, 23 Mar 2014 01:17:32 +0000 X-ACL-Warn: Received: from olivere.de ([85.214.144.153] helo=mail.olivere.de) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1WRX2W-0002CE-Ud for bitcoin-development@lists.sourceforge.net; Sun, 23 Mar 2014 01:17:30 +0000 Received: from ip-178-201-245-99.unitymediagroup.de ([178.201.245.99]:33328 helo=[192.168.88.251]) by mail.olivere.de with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1WRWlU-0003bI-TK; Sun, 23 Mar 2014 01:59:52 +0100 Message-ID: <532E3206.3090005@olivere.de> Date: Sun, 23 Mar 2014 01:59:50 +0100 From: Oliver Egginger User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Mike Hearn References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1WRX2W-0002CE-Ud Cc: Bitcoin Development Subject: Re: [Bitcoin-development] Fake PGP key for Gavin X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 01:17:32 -0000 Am 22.03.2014 18:03, schrieb Mike Hearn: > In case you didn't see this yet, > > http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html > > If you're using PGP to verify Bitcoin downloads, it's very important > that you check you are using the right key. Someone seems to be creating > fake PGP keys that are used to sign popular pieces of crypto software, > probably to make a MITM attack (e.g. from an intelligence agency) seem > more legitimate. From the user's perspective: In the beginning I found it difficult to find the keys. At last I have made this side for documentation: https://www.olivere.de/blog/archives/2013/06/02/install_bitcoin_client/ Okay, is outdated meanwhile ... Normally people fetch the keys by key-id from a well known key server. Not because they are paranoid, but because it is the most convenient method under Linux. A Google search for Gavin+Andresen+gpg brings me herein: http://sourceforge.net/p/bitcoin/mailman/message/30551147/ Key-Id? Nevertheless, I'm glad that you guys signed anything. That makes me sleep better. I really check this. - oliver GPG: https://olivere.de/gpg