Key poisoning

Peter Lebbing peter at
Fri Aug 16 12:16:17 CEST 2019


> Would the attack work by just concatenating lots of identical
> signature packets onto a copy of the target key and sending the result
> to the keyserver?

I have no knowledge of the workings of the keyservers. But my guess is
that they would all be coalesced into the single signature that they are
(similarly to when a single new signature was uploaded to two different
SKS keyservers and these are coalesced on reconciliation).

It might be possible if you just change some bytes. I dunno.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list