Please stop using GPG short key IDs. Add “keyid-format 0xlong
” to your gpg.conf file and ensure you only ever request to download keys using the full fingerprint and verify these fingerprints over a secure channel, ideally face-to-face. This is a real attack vector – we’ve found that someone has uploaded fake keys for many of the QEMU maintainers with colliding short key IDs and even gone to trouble of cross signing them to make them look more valid. http://gwolf.org/node/4070