Silk Road forums
Discussion => Security => Topic started by: DrugsAreFun on August 17, 2013, 07:06 am
-
Vendor in question is ChiTownMafia:
http://silkroadvb5piz3r.onion/silkroad/user/efb84d5c63
I've used PGP with every other vendor I've delt with and had no problems. I shot him a message because I'm thinking he has a problem with his key. I'm using the command line GPG for Linux.
$ gpg --version
gpg (GnuPG) 2.0.20
libgcrypt 1.5.3
And this is the error I'm getting:
$ gpg --import ctm.key
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: invalid radix64 character 2D skipped
gpg: no valid OpenPGP data found.
gpg: key DC3DE658: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
I copied the key straight off his vendor page. Tried putting it in another file. I'm fairly certain I did everything right. Here's the key if any of you have PGP at the ready and want to see if you can import it. I haven't even tried encrypting a message with it because I can't even get the thing imported.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.21-beta27 (MingW32)
mQENBFGyOtYBCADSTSyGcwu56Hpy7Rv8DBSJvD1AyJ/fsY5CLU9DYf9vQhcIfOk4
Z0VpUOACXkuVdjtYtn5tPXASg9RvgYfenerZWkXFqjSPQOm41SyKhdmZqnxb7H31
WSf1ccGv83b1UiTgzwLZ1Sad0E2AI3xh2s6mwEZUBDdYAib/3EfiwAeOzEiJtvNb
xF+QuG3+HhPcCopHNq1Hqiha5AmKrFyZM4nIVSV9g4BGF9TQRp65bghjTsML0JSo
WootnFvtYrMy6onKY0W+GDn36hw+BMDRrseKC3/yNLfAU/+RBwylyvWwf5vkG6pg
9gsFgFx3ew5CvuRL/tspro4a4Hn5t3k4YS2bABEBAAG0J0NoaVRvd25NYWZpYSA8
Y2hpdG93bm1hZmlhQHRvcm1haWwub3JnPokBOQQTAQIAIwUCUbI61gIbDwcLCQgH
AwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEEN9rIncPeZYV0YH/0YL6TlWaPUoqJ7j
8uklylGpHtNYd7R28vhISJkvc3J5P3j9vZmlid1U732psFOrT1jYq7vNrng94CVs
3TWUFCvgjIU9D0WWdx0Gb/G02BCpKBxM3cNCLSBGJO2umSYm+qJUV8QM7x2tJdMo
rMHCOFN8cmYZ5ZmM0GHkh5cZH4tcT+WFheqiqch//jTvrchwnTNi0ie56BMwjj9o
8YIkwpnr3W+0DDe0Fyiyw9QJtyeNMWdbzXhUmt5Q+aXeJNJ5r4pRWPC8Yprd/DZA
5HjNftCuwRX4n8MpSfh6HcfSBdGk2gh6bpbtBqIlvkB2uJEHxTArb/IY55OGMGRX
IAte
-----END PGP PUBLIC KEY BLOCK-----
I'm also considering the possibility that there's some kind of incompatibility with the beta version of GPG he's using but that's just a guess.
-
His key is cut off. It should end with -----END PGP PUBLIC KEY BLOCK-----
-
His key is cut off. It should end with -----END PGP PUBLIC KEY BLOCK-----
Doesn't it already have it?
-
Ops sorry you're right! I didn't scroll down. But the key still can't be imported.
-
The key lack the "=" in the end. Usually all keys have always one or two "=" signs in the end phase, this one lacks them completely.
Probably the vendor didn't copy/paste the key in full or some error.
This or it is a different new line carrier encoding but I never saw a key without "=" characters in the end as this one so at first glance (without trying to import it myself and dabble a little) this can be the problem here.
-
here is his proper public key. did you know there is another way to find a vendor or whoevers key by checking the key server.
look at the bottom where Ate are and you will notice what was missing
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (MingW32)
mQENBFGyOtYBCADSTSyGcwu56Hpy7Rv8DBSJvD1AyJ/fsY5CLU9DYf9vQhcIfOk4
Z0VpUOACXkuVdjtYtn5tPXASg9RvgYfenerZWkXFqjSPQOm41SyKhdmZqnxb7H31
WSf1ccGv83b1UiTgzwLZ1Sad0E2AI3xh2s6mwEZUBDdYAib/3EfiwAeOzEiJtvNb
xF+QuG3+HhPcCopHNq1Hqiha5AmKrFyZM4nIVSV9g4BGF9TQRp65bghjTsML0JSo
WootnFvtYrMy6onKY0W+GDn36hw+BMDRrseKC3/yNLfAU/+RBwylyvWwf5vkG6pg
9gsFgFx3ew5CvuRL/tspro4a4Hn5t3k4YS2bABEBAAG0J0NoaVRvd25NYWZpYSA8
Y2hpdG93bm1hZmlhQHRvcm1haWwub3JnPokBOQQTAQIAIwUCUbI61gIbDwcLCQgH
AwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEEN9rIncPeZYV0YH/0YL6TlWaPUoqJ7j
8uklylGpHtNYd7R28vhISJkvc3J5P3j9vZmlid1U732psFOrT1jYq7vNrng94CVs
3TWUFCvgjIU9D0WWdx0Gb/G02BCpKBxM3cNCLSBGJO2umSYm+qJUV8QM7x2tJdMo
rMHCOFN8cmYZ5ZmM0GHkh5cZH4tcT+WFheqiqch//jTvrchwnTNi0ie56BMwjj9o
8YIkwpnr3W+0DDe0Fyiyw9QJtyeNMWdbzXhUmt5Q+aXeJNJ5r4pRWPC8Yprd/DZA
5HjNftCuwRX4n8MpSfh6HcfSBdGk2gh6bpbtBqIlvkB2uJEHxTArb/IY55OGMGRX
IAteoNw=
=1gZm
-----END PGP PUBLIC KEY BLOCK-----
anyone who didn't know that there are other ways to find keys please take a break from the road do a little more reading about how to do certain things then come back not knowing something simple as this is very worrying to me and prolly worry some to the future of the road.
-
This vendor's key confused the hell out of me too, then I read the very last line of their profile page and it said:
ADD THE PART WITH THE LETTERS AND SYMBOLS ABOVE THE "Welcome sign" TO THE END OF THE KEY OR ELSE IT WILL NOT WORK
So you scroll back up to the top to find the "end" of the key which you have to paste in.
What a strange thing to do.
-
Seems like a decent basic security measure.
But I'm sure the vendor doesn't like this chatter about their key here of all places, considering that they obscured the key when it was only available after logging in to a .onion site
PS chews13 - not always multiple ways to get a key, it has to be uploaded to a key server first. But was it ever the case that everyone on the road ever grokked gpg?