Hi Matt,
On Mon, 20 Jul 2020 at 22:37, Matthew Finkel sysrqb@torproject.org wrote:
I propose distributing the Tor developer keys inside the Fedora package distribution-gpg-keys.[1] This would give most Linux users a trustworthy chain of signatures from their own distributor (e.g. CentOS or Fedora) to Tor project downloads.
(most? :) )
I suspect so. I haven't checked if Debian/Ubuntu have keyrings for Fedora. (Vice versa is certainly true.)
I am happy to take care of this, although I am also happy if somebody who is more involved with Tor than me takes this on. I wrote a shell script (attached) to acquire and organise the keys based on https://2019.www.torproject.org/include/keys.txt. My script would
install
the following keys under /usr/share/distribution-gpg-keys/tor:
Unfortuntately that file is very old and incorrect now.
That is unfortunate. Is there any sensible way that users can currently verify signatures of their downloads? (Can I mimic that?)
The most obvious question is: how do I know that I am distributing unadulterated keys? I think the answer is that I don't! But any attack would have to affect a large group of people, and would be detected
quickly
as long as many people are looking at the distribution-gpg-keys package. If this solution is unsatisfactory, then perhaps someone who is more involved with the Tor developers -- and hence able to directly check the keys -- ought to take this on.
Yeah, if a package like this exists and it has tor's name attached to it, then we should have a high degree of confidence that the package contains the correct keys.
I'm not sure I understood what you mean. Are you worried about an attack? Or just miscommunication?