Question about verify message #2762
Comments
|
This is very interesting behavior--especially considering |
|
nah, that's not possible. only one user can register a public key.
…On Tue, Jan 10, 2017 at 9:31 AM, Zach Queal ***@***.***> wrote:
This is *very* interesting behavior--especially considering marcotheminer
doesn't have a key associated with their account.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2762 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA05_xgeURfPpTktGXFmIGYmbB33eaLXks5rQ5YngaJpZM4LfdZt>
.
|
|
correct. My assumtpion is that the user signing that message with his key IS marcotheminer. |
|
yes, i agree. |
|
thanks Max issue solved. |
|
hi, I asked GuntharDeNiro to reopen this issue for me. Thanks for that. To me this looks like an error on the side of keybase.io and it is currently causing some mild disturbance in our community (bitcointalk.org). I normally verify messages with gpg2 and only rely on keybase for others to easily verify messages by me or send me encrypted messages. Content of the file: Verification of the file, the output is in german, but I wouldnt want to modify it. Feel free to verify this yourself. The following is the fingerprint used by "quickseller" who also has a keybase.io account here -> https://keybase.io/quickseller When clicking on the key ID on keybase.io I get the following error screenshot on imgur -> http://i.imgur.com/Amrwf4w.png With all this I would expect keybase.io to point to the quickseller account and not the above mentioned marcotheminer. |
|
ok, this is an interesting bug, thanks for all the info everyone. first time we've seen it. quickseller's profile is fixed, so you can see the modal showing public key, without error. the verify page will be fixed next, I assume today. cc @oconnor663 . |
|
Thanks shorena and all for your time. The short question is: why when i try to verify the following message, it says it is from marcotheminer? My QS account has not been sold. Not that this fact has anything to do with your argument. QS iQEVAwUBWG5nJlMt0pDwvrUWAQghNwf/dnocGGRvtl9t7sAprG4Sz5za/Lmas9GM |
|
Thanks @malgorithms for looking into this and the quick solution. The public key shows correctly on my end as well. @GuntharDeNiro I dont know as I have little insight in keybase.io's code or inner workings. Maybe someone with more insight can answer this. |
|
yeah, that's what we're working on a fix for this morning, and the first time we've seen this. To be clear, marcotheminer never proved ownership of that key - only quickseller did. So there's a bug in the keybase.io website. Likely a very old one but rare enough we've never encountered it. Marcotheminer was a very early user of keybase (very early alpha) and perhaps an early bug got them into our key lookup DB incorrectly...but we're very interested in this bug and it should be resolved quickly. For more info, you can see that https://keybase.io/marcotheminer/chain but that https://keybase.io/quickseller/chain (those views, distinct from the If you run the keybase client, which doesn't take the server's word for it and plays back the signature chain and verifies the crypto, you can also verify Trying the same on marcotheminer yields an error because they left their account in a keyless state after resetting it. (Perhaps related to this bug...but note the client doesn't display that key.) |
|
is it possible marcontheminer shared the same device (iOS in this case) with quickseller and then marcotheminer keys on that device were erased and there is now a mixup? |
|
I don't think that would be able to cause this. Also, just to be clear in case there's any speculation on bitcointalk.org : there's no proof that marcotheminer ever had the private key associated with that public key, since they never signed anything to prove it was theirs. This really was a website bug. The issue is now fixed on the site - the verify page now returns the correct answer. Still figuring out how it happened in the first place or whether it happened to anyone else on the site... Either way, to be clear: it's corrected logically, not special-cased for these 2 accounts, so it should be fixed for anyone this could've happened to. And it's likely rare and old. But still researching. Obscure feature of keybase app, btw: you can id someone directly by a PGP key fingerprint: keybase id F364AB336F009BA4736C7F69532DD290F0BEB516@pgp
▶ INFO Identifying quickseller
✔ public key fingerprint: F364 AB33 6F00 9BA4 736C 7F69 532D D290 F0BE B516
฿ bitcoin 17GKTeAbTdLwvJgVLgjkAxppvccFJXGGjT |
|
perfect malgorithms, this is the answer i needed. Thanks for looking at this. I will leave this issue open looking forward to " Still figuring out how it happened in the first place..." |
|
Thanks for the confirmation, glad we could do something to improve keybase.io. |
So i have this message to verify and when i verify it on keybase.io it says signed by a different identity then the one supposed to be signing it. Does it mean the 2 keybase users are the same person?
This is the message, it says signed by marcotheminer while i receive that message from another user:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
My QS account has not been sold. Not that this fact has anything to do with your argument.
QS
Jan 5, 2017
-----BEGIN PGP SIGNATURE-----
Version: oPenGP 6.0 on iOS
iQEVAwUBWG5nJlMt0pDwvrUWAQghNwf/dnocGGRvtl9t7sAprG4Sz5za/Lmas9GM
Sq4PHP1p46McNw8etK9c1xsqBAjtr2LDEVPtH83XFWKWUn7auPrZtkxApAcJqiO2
6cT/+Cl3PIgTD7B1ngnxKExHXsQCUhIHYKkpcdsSnm+2hA3uP7mIw/8AsanIJMx3
OwLU3TUCYe18sNNE3hv5LDR8Qs8wc2mvwWV5X7EB+E+2C2pnhp3mAfpMowlMzOY0
xsKhcbN2QuZSrk+a/f7CYZE6G0dl4qTun7QcaMOjExkbZhRLDQqffnShaadA8gcx
0Uv7x7CEkGjLzixmi/jwnK6gdQPkZEgMLne6ZntIwo+g040DZx7QTQ==
=i6KL
-----END PGP SIGNATURE-----
The text was updated successfully, but these errors were encountered: