Hi everyone,
I propose distributing the Tor developer keys inside the Fedora package distribution-gpg-keys.[1] This would give most Linux users a trustworthy chain of signatures from their own distributor (e.g. CentOS or Fedora) to Tor project downloads.
I am happy to take care of this, although I am also happy if somebody who is more involved with Tor than me takes this on. I wrote a shell script (attached) to acquire and organise the keys based on https://2019.www.torproject.org/include/keys.txt. My script would install the following keys under /usr/share/distribution-gpg-keys/tor:
Arm_releases/Damian_Johnson.gpg Tails_live_system_releases/The_Tails_team.gpg TorBirdy_releases/Sukhbir_Singh.gpg Tor_Browser_releases/Arthur_Edelstein.gpg Tor_Browser_releases/Georg_Koppen.gpg Tor_Browser_releases/Mike_Perry.gpg Tor_Browser_releases/Nicolas_Vigier.gpg Tor_Browser_releases/The_Tor_Browser_Developers.gpg Tor_source_tarballs/Nick_Mathewson.gpg Tor_source_tarballs/Roger_Dingledine.gpg Torsocks_releases/David_Goulet.gpg deb.torproject.org_repositories_and_archives/Tor_Project_Archive.gpg older_Tor_tarballs/Nick_Mathewson.gpg other/Peter_Palfrader.gpg
Unless someone else volunteers (please do!), I will set up a weekly job to run the script and alert me to any changes.
Can anyone see any potential problems with this plan?
The most obvious question is: how do I know that I am distributing unadulterated keys? I think the answer is that I don't! But any attack would have to affect a large group of people, and would be detected quickly as long as many people are looking at the distribution-gpg-keys package. If this solution is unsatisfactory, then perhaps someone who is more involved with the Tor developers -- and hence able to directly check the keys -- ought to take this on.
[1] See https://github.com/xsuchy/distribution-gpg-keys and https://rpmfind.net/linux/RPM/fedora/updates/32/x86_64/Packages/d/distributi...
On Fri, Jul 17, 2020 at 02:56:08PM +0100, Andrew Clausen wrote:
Hi everyone,
Hi,
Thanks for your interest in this.
I propose distributing the Tor developer keys inside the Fedora package distribution-gpg-keys.[1] This would give most Linux users a trustworthy chain of signatures from their own distributor (e.g. CentOS or Fedora) to Tor project downloads.
(most? :) )
I am happy to take care of this, although I am also happy if somebody who is more involved with Tor than me takes this on. I wrote a shell script (attached) to acquire and organise the keys based on https://2019.www.torproject.org/include/keys.txt. My script would install the following keys under /usr/share/distribution-gpg-keys/tor:
Unfortuntately that file is very old and incorrect now.
Arm_releases/Damian_Johnson.gpg Tails_live_system_releases/The_Tails_team.gpg TorBirdy_releases/Sukhbir_Singh.gpg Tor_Browser_releases/Arthur_Edelstein.gpg Tor_Browser_releases/Georg_Koppen.gpg Tor_Browser_releases/Mike_Perry.gpg Tor_Browser_releases/Nicolas_Vigier.gpg Tor_Browser_releases/The_Tor_Browser_Developers.gpg Tor_source_tarballs/Nick_Mathewson.gpg Tor_source_tarballs/Roger_Dingledine.gpg Torsocks_releases/David_Goulet.gpg deb.torproject.org_repositories_and_archives/Tor_Project_Archive.gpg older_Tor_tarballs/Nick_Mathewson.gpg other/Peter_Palfrader.gpg
Unless someone else volunteers (please do!), I will set up a weekly job to run the script and alert me to any changes.
Can anyone see any potential problems with this plan?
While this is a nice idea, creating a package like this would take more time than we currently have to spare right now. But, with that being said, we could probably automatically generate the package in a CI/CD pipeline when the right people become less overwhelmed. Luckily, project signing keys don't change very often (on the order of years), so if there is a desire for a package like this, then it would likely only be updated a couple times per year. I don't know who would upload it for distribution, though.
The most obvious question is: how do I know that I am distributing unadulterated keys? I think the answer is that I don't! But any attack would have to affect a large group of people, and would be detected quickly as long as many people are looking at the distribution-gpg-keys package. If this solution is unsatisfactory, then perhaps someone who is more involved with the Tor developers -- and hence able to directly check the keys -- ought to take this on.
Yeah, if a package like this exists and it has tor's name attached to it, then we should have a high degree of confidence that the package contains the correct keys.
Thanks, Matt
Hi Matt,
On Mon, 20 Jul 2020 at 22:37, Matthew Finkel sysrqb@torproject.org wrote:
I propose distributing the Tor developer keys inside the Fedora package distribution-gpg-keys.[1] This would give most Linux users a trustworthy chain of signatures from their own distributor (e.g. CentOS or Fedora) to Tor project downloads.
(most? :) )
I suspect so. I haven't checked if Debian/Ubuntu have keyrings for Fedora. (Vice versa is certainly true.)
I am happy to take care of this, although I am also happy if somebody who is more involved with Tor than me takes this on. I wrote a shell script (attached) to acquire and organise the keys based on https://2019.www.torproject.org/include/keys.txt. My script would
install
the following keys under /usr/share/distribution-gpg-keys/tor:
Unfortuntately that file is very old and incorrect now.
That is unfortunate. Is there any sensible way that users can currently verify signatures of their downloads? (Can I mimic that?)
The most obvious question is: how do I know that I am distributing unadulterated keys? I think the answer is that I don't! But any attack would have to affect a large group of people, and would be detected
quickly
as long as many people are looking at the distribution-gpg-keys package. If this solution is unsatisfactory, then perhaps someone who is more involved with the Tor developers -- and hence able to directly check the keys -- ought to take this on.
Yeah, if a package like this exists and it has tor's name attached to it, then we should have a high degree of confidence that the package contains the correct keys.
I'm not sure I understood what you mean. Are you worried about an attack? Or just miscommunication?
-
Andrew Clausen -
Matthew Finkel