[diafygi]

Yes! It looks like someone inserted a broken subkey with an invalid signature into the keyserver. If your software didn't validate subkey signatures, you could very well think that a package was signed by HPA. Alternatively, it could be that someone was just fucking around and uploaded a subkey with invalid signature for the lolz.

Here's a json export of the packets: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84

Here's the factored subkey: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

Here's the factored subkey's bad signature: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

EDIT: It's the EXACT SAME subkey self-signature packet as HPA's real subkey self-signature packet! Someone (by malice or mistake) manually added a subkey to HPA's public key and copied the signature from the other subkey directly onto the new subkey.

These are the same:

Bad subkey self-signature: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

Good subkey self-signature: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

[agwa]

That JSON export is cool - how did you generate it?

[diafygi]

One of my side projects: https://github.com/diafygi/openpgp-python

Not fully functional yet, but was able to convert this public key to json. I manually removed the non-self signature packets for the gist.