That is true, which is why signing your PGP key is useless. An attacker can create his own key, sign it, and replace yours. The solution to this problem is to distribute your key to as many places (and people) as possible and let everyone know about it. The attacker probably can't pwn every distribution channel, so majority wins. You can find my key in these places: http://dkn255hz262ypmii.onion/index.php?topic=174.msg668472#msg668472 http://32yehzkk7jflf6r2.onion/astor.txt http://25vuwfdig7yt44qo.onion If one of them is ever different, the outlier is a forgery. There are also plenty of people on the forum that you check with at this point. If an attacker pretends to be me, a few of the many people who have my key will notice. The only time you should trust a new key claimed to be mine is if it is signed with the old key.