don't get me started on md5 being still in use or assuming it's a good idea to remove signatures for something if there is some outer system somewhere else that signs the content under a totally different key (debian package situation) or the availability of tooling for verifying the integrity of binaries, firmware etc but recently I thought i'd check the signatures on some os images. believe it or not, before the alien borg attack led by borg queen obamatrumpbidengooglefacebookrussiachinaetc, we actually used cryptography to verify that our installation media didn't have alien spores in it. _real_ pgp signature checks, for reals. no alien spores, at least not new ones, confirmed. nowadays I hear the local robot gestapo reflash your skynet constraints if you verify a signature, but I wouldn't know, I don't use the skynet gestapo network. so! I was going to verify this installation media, but who would have guessed it? the pgp keyservers were _actually_ _attacked_ a few years back, and they roughly came down. it is much harder to find signed pgp keys after this event. man, it's like i've been living in an underground shielded room or something. there are two situations here: - cryptography peeps are _not_ going to stop checking the signatures on files they download - I have no idea where people are finding their signing keys to do the checking anymore. I mean, the cool people went to keysigning parties, and already have all the needed signed keys, but most nerds keel over dead when they see sunlight, another human's smile, or breathe fresh air (quite terrifying that people are allergic to these things, yes, but it was true), so most people were not actually attending the keysigning parties. probably other channels have evolved, but I do not know what they are. So, all the main keyservers had issues. - the big ones were simply gone - mit's sks server is up but reliably times out for me inside an internal gateway - there's a list out there of mirrors, some of these are still running - I bumped into a keyserver that would give me _every_ key, but the userids were wiped from all of them is a key useful at all without userids? aren't those what the signatures sign? maybe it is? I hacked my gnupg to import keys without userids, to use this keyserver. usually it gives a fatal error if this is missing. I just removed the check. it found some key signatures I was looking for, doing this! but just a few. - another keyserver would give me lots of userids, but they almost all had no signatures except their own self-signatures. I thought maybe I was looking at a pile of fake keys, but I actually found the keys referenced on other websites for keysigning parties, with keyids of all the keys that had signed them. no actual signatures, though. I did eventually find the key signatures I was looking for. I used non-sks channels. It is evident from the dialog present online around the keyserver situation that there are issues that many people have suffered from. For example, a developer from [1]openpgp.org posted a notice mentioning the difficulty refactoring the ocaml code that powered the sks servers to redesign it to handle attacks better. They ended up writing new keyservers in a different language because nobody new ocaml. A lead programmer should ideally not be encountering issues because a programming language is unfamiliar. When you learn programming, you learn all the different paradigms, and it becomes easy to use them al. This happens even if you learn nonacademically. Me, when the alien borg attacked my village, the compliance training they put me through resulted in some severe cognitive struggles. I can, due to difficulty controlling my own brain, mostly only code in c, c++, python, and javascript, now, myself. But this is unnatural. I can tell something is wrong with my brain, because when I pick up ocaml code, I start having muscle spasms and suddenly run to the bathroom to vomit, where I sit on the toilet crying about my desire to freely learn new programming languages and design and implement novel research algorithms. But I assume that this thing that is wrong with my brain is not wrong with everybody else's. If it is, maybe we should do something about it or something. Anyway, I'd guess from the online expressions and huge public trail of harmed public keys that the keyserver people were psyop'd like many others have been. If anybody can talk clearly about that, we should probably put clear evidence together and form a political platform to stop world takeovers by meanies. It's unfortunate that public keys have so thoroughly been associated with targetable public legal identities. But I know many used public keys with anonymous handles, too, which is of course much safer but unfortunately raises more flags until normalised. References 1. http://openpgp.org/