<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font size="2">OK, I code-solved my own misery :</font></p>
<p><font size="2"><br>
This change is an improvement YET really the subtle minor
3-lettered increment is UNobvious to people like I: <br>
<br>
BE VERY CAUTIOUS of the * D.E.B * novelty in the tor.list
file:<br>
<br>
echo 'deb
[signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg]
<a class="moz-txt-link-freetext" href="https://deb.torproject.org/torproject.org">https://deb.torproject.org/torproject.org</a> <DISTRIBUTION>
main' >> ../../etc/apt/sources.list.d/tor.list<br>
echo 'deb-src
[signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg]
<a class="moz-txt-link-freetext" href="https://deb.torproject.org/torproject.org">https://deb.torproject.org/torproject.org</a> <DISTRIBUTION>
main' >> ../../etc/apt/sources.list.d/tor.list<br>
<br>
................................below...................................above.....................................................above.......................................................................................................................below<br>
and associated command: <br>
wget -qO-
<a class="moz-txt-link-freetext" href="https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc">https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc</a>
| gpg --dearmor | sudo tee
/usr/share/keyrings/deb.tor-archive-keyring.gpg >/dev/null<br>
</font></p>
<p><br>
</p>
<p>sooo, unbovious.<br>
</p>
<p>Question is: how many relays are now running an out-dated gpg
keyring?<br>
</p>
<p><font size="2">Carlos.<br>
<br>
</font><br>
</p>
<div class="moz-cite-prefix">On 8/11/24 2:06 PM,
<a class="moz-txt-link-abbreviated" href="mailto:eff_03675549@posteo.se">eff_03675549@posteo.se</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:fe9ec266-15a4-43fc-b2ec-0beddc47e96c@posteo.se">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p><font size="2">Hi all, <br>
<br>
wait: I just installed a fresh relay and the torproject is
still outdated with the old keyring!<br>
(I had to add sudo apt-key adv --recv-keys --keyserver
keys.gnupg.net 74A941BA219EC810 to my script).<br>
<br>
Isn't this insane given that new comers are going to install
vulnerable relays by default?</font></p>
<p><font size="2"><b>how come the new installs still have to
update?<br>
<br>
</b>Carlos.<br>
</font></p>
<div class="moz-cite-prefix"><br>
<br>
On 8/2/24 5:16 PM, telekobold wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ab632414-4cb0-4736-8952-80c7643c4a12@telekobold.de">Hi
boldsuck, <br>
<br>
thank you for your messages and the explanations. To be honest,
I wasn't aware that the GPG key has to be updated manually every
two years. However, I still have a few comprehension questions:
<br>
<br>
On 16.07.24 14:03, boldsuck wrote: <br>
<br>
<blockquote type="cite">wget -qO-
<a class="moz-txt-link-freetext"
href="https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc"
moz-do-not-send="true">https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc</a>
| gpg --dearmor | tee
/usr/share/keyrings/tor-archive-keyring.gpg >/dev/null <br>
</blockquote>
<br>
What exactly is the purpose of "gpg --dearmor" and of "tee"
here? Why isn't is enough to just type <br>
wget -qO-
<a class="moz-txt-link-freetext"
href="https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc"
moz-do-not-send="true">https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc</a>
> /usr/share/keyrings/tor-archive-keyring.gpg <br>
? <br>
I compared the output with and without the "gpg --dearmor" using
diff, it is exactly the same. And the only effect of tee is that
the binary output is also printed to the terminal. There is even
something that is interpreted as a line break at the end of the
binary .gpg file so that the terminal tries to execute "1;2c"
which leads to an error. However, with the shortened command,
everything also works without errors. <br>
<br>
>> apt-key -list
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg <br>
[...] <br>
> Sorry, above is the key that is installed by the package
deb.torproject.org-keyring. <br>
> gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg
shows you the one imported via wget. <br>
<br>
On my relays (installed "the standard way" using the manuals at
the torproject.org website), both commands output the same GPG
key with the fingerprint <br>
A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89 <br>
So, there seems to be no other Tor-related GPG key installed by
the package deb.torproject.org-keyring, just the GPG key
manually installed via the above wget command. <br>
<br>
<br>
And finally, it would be nice if one could check the fingerprint
of this key on future physical Tor relay operators meetups like
the one at the Chaos Communication Camp. I'm not even sure if
wget does any background check based on a hierarchical
certificate check of the TLS certificate of torproject.org. If
the TLS connection would be somehow corrupted at the moment
where one executed the wget command an attacker could corrupt
the whole relay, according to my understanding. Or do I have an
error in my thinking here? <br>
<br>
<br>
Kind regards <br>
telekobold <br>
_______________________________________________ <br>
tor-relays mailing list <br>
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:tor-relays@lists.torproject.org"
moz-do-not-send="true">tor-relays@lists.torproject.org</a> <br>
<a class="moz-txt-link-freetext"
href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays"
moz-do-not-send="true">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
<br>
</blockquote>
<pre class="moz-signature" cols="72">--
PGP updated every second week : please actualize our communication every time.</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
PGP updated every second week : please actualize our communication every time.</pre>
</body>
</html>