Specify more GPG key bits — otherwise the key can be faked? Someone already did

[kajmagnus]

On the website, https://openresty.org/en/download.html, there's this:

Source Code Releases
All the releases are signed by the public PGP key A0E98066 of Yichun Zhang.

That's 32 bits to identify a key — and that's a bit few bits; others can generate fake keys with the same last 32 bits.

In fact, someone did:

$ gpg --keyserver keyserver.ubuntu.com --keyserver-options timeout=10 --recv-key A0E98066
gpg: key A84A5A40A0E98066: public key "Totally Legit Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

As you can see, someone has generated a fake key that ends with A0E98066.

(That's Ubuntu's keyserver, which I tried, when MIT didn't work; they're supposed to be in sync with each other I think?)

What do you think about specifying the full key ID on the website, or the last 64 bits?

There's an old issue and merged PR related to that,
issue: #30 "Add information to the GPG key"
PR: #32 "Add information about public key to verify release files"

but somehow the changes in the PR seems to have gotten lost during the years. Anyway, in the PR, I see that the last 64 bits of the key are: 0xB550E09EA0E98066

[kajmagnus]

B.t.w. I could send a PR about this, if you want

[kajmagnus]

Maybe might as well include the full key? Don't know if 64 bit is that much nowadays?

I think this is the complete public key? 25451EB088460026195BD62CB550E09EA0E98066

gpg --keyserver pgpkeys.mit.edu --keyserver-options timeout=10 --recv-key 25451EB088460026195BD62CB550E09EA0E98066
gpg: key B550E09EA0E98066: 1 signature not checked due to a missing key
gpg: key B550E09EA0E98066: "Yichun Zhang (agentzh) <agentzh at ... googlemail ...>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1