Hello everyone,
I discovered that there is a key out there (CEE1590D) associated with my Tor email address that is NOT me. I don't know who generated it, but I can think of many nefarious or incompetent reasons why they might have done it.
This email is for two purposes:
1. To inform you that this is NOT MY KEY. Do not under any circumstances trust anything that may have ever been signed or encrypted with this key. I looked around and was unable to find anything, but nonetheless, it is out there and that is creepy.
2. If anyone on any of these lists has encountered this key anywhere -- the main fear being that it has been used to fraudulently sign packages of some kind -- can you please let me/us know ASAP?
Tor Project official signatures are listed here: https://www.torproject.org/docs/signing-keys.html.en
Consider that the canonical source for all signatures! Be suspicious of anything not listed there and let us know if you ever find anything.
Thanks, The Real Erinn