Friday, September 16, 2016

Invalid Apple PGP GPG Key! Is It Fake Or Is It A Blunder

Invalid Apple PGP GPG Key! Is It Fake Or Is It A Blunder


--

[Updated and solved at 3:22 pm. See the Addendum below.]

At 1:57 pm today, I received an email from Apple entitled "APPLE-SA-2014-05-15-1 OS X Mavericks v10.9.3". 

The problem? It is signed with an INVALID PGP/GPG KEY. The public key in question is ID 0xEE3A8EED. No such key!

For those unfamiliar with PGP or GPG, a public key is part of a key exchange process which allows someone sending email to verify exactly who they are. They have uploaded their public key to the public key server, used by everyone for such exchanges. When they send an email, that public key is sent along in the email. Then the receiver can verify exactly who sent them the email by checking for the key on the key server.

Obviously, Apple uses public keys in order to allow you and me to know when an email message from them is real, as opposed to being FORGED by some crook or loon.

So what are we to make of an email from Apple that has an INVALID KEY?!

The answer is: 
Assume its a FAKE!

So Apple! Did you really send me this 10.9.3 announcement?
OR
Is this a fraud?!
OR
Is the Public Key Server messed up?

If Apple really did send me this email, and the server is working: OOPS! Apple pulled a HUGE BLUNDER!

Im not going to share the email here in case it really is fraudulent. More later as my colleagues and I investigate this mysterious situation.


--

ADDENDUM: The Solution!

I beat Apples key to the key server!

The key in question is NOW valid. There is no way to know when Apple uploaded this new key to the key server. But clearly, it was not being read out by the server at the time they sent their 10.9.3 announcement.

So the problem is, I have to assume, the PGP/GPG key server has a lag AND Apple delayed uploading their new key to the server until today. Their new key was created on May 2nd, would you believe. So thats apparently quite a delay between key creation and key upload to the server. I wish there was zero delay at the key server. How much is server lag contributing to the problem? Im concerned enough to investigate that aspect of the further. I have networked with the GPG developer folks for years. Therefore, Ill attempt to chat with them about this situation.

CONCLUSION: Case Closed!

--

Available link for download