On 2019-07-22 14:54:40, Matt Traudt wrote:
On 7/2/19 18:31, Arthur D. Edelstein wrote:
Hi Everyone,
Someone pointed me to the following post by Robert J Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Below that post, there are a couple of comments indicating that at least two of Tor's signing keys listed in https://2019.www.torproject.org/docs/signing-keys.html.en have been poisoned by this attack, including the Tor Browser Developers key and Tor Project Archive key. We're wondering if all of the keys on that page have been affected. (I haven't had a chance to learn about this attack or how to check other keys, but I wanted to share this ASAP.)
Thanks, Arthur
In case it's helpful, I've cleaned the Tor Browser signing key of the poison signatures and put it up here[0] for the time being.
People[1] are attempting to download the poisoned key and experiencing issues. The instructions[2] on Tor's website that they are following still tells people to use the key server pool with poisoned keys. These should probably be updated ASAP.
Let's please do something about this.
A few things...
We are now aware of the poisoned key and have remediated the problem, the details being in Trac ticket #31168:
https://trac.torproject.org/projects/tor/ticket/31168
weasel deployed WKD, a standard way discover keys outside of the normal keyserver infrastructure. We have also added the TBB signing key to WKD so that keys can be discovered there. The documentation on the support website has been updated accordingly:
https://support.torproject.org/tbb/how-to-verify-signature/
For users not having access to a WKD implementation, you can just fetch the key at the following URL as well:
https://openpgpkey.torproject.org/.well-known/openpgpkey/hu/kounek7zrdx745qy...
The 2019.torproject.org website is archived and will not be changed. Hopefully it will drop out of existence progressively as we remove all links to it. We're also considering un-indexing it from search engines, see #31225 for this:
https://trac.torproject.org/projects/tor/ticket/31225
I hope that covers it. If anyone finds more instances of bad instructions on the website (refering to keyservers instead of WKD), please do let us know.
A.