On Tue, Jul 16, 2024 at 05:01:09PM +0300, Martin Gebhardt via tor-relays wrote:
wget -qO-https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E88... | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
Is the name important?
I assume it's Debian? The onfiguration of the signing key and the repo is configured in Debian (and Ubuntu?) via source.list, see $man 5 sources.list.
In most cases this will look something like this: $ cat /etc/apt/sources.list.d/tor.list
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main deb-src [signed-by=/etc/apt/trusted.gpg.d/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
You can place the key anywhere that ‘apt’ can access, you only need to change the path in the source file.
I would recommend placing it at /usr/share/keyrings/deb.torproject.org-keyring.gpg, but only if you don't have the deb.torproject.org-keyring package already installed:
1. On a fresh system, manually download the key to /usr/share/keyrings/deb.torproject.org-keyring.gpg.
2. Then configure sources.list, install apt-transport-https etc.
3. Finally, install the deb.torproject.org-keyring package. It will overwrite /usr/share/keyrings/deb.torproject.org-keyring.gpg with the version from the package.
Afterwards, you won't have to manually update the key once a new version is available: it will be upgraded whenever a new deb.torproject.org-keyring package version is installed.
I have created a merge request to update the documentation in order to recommend this: https://gitlab.torproject.org/tpo/web/support/-/merge_requests/220
Note, however, that for keys that are not managed by a package or the package manager itself, they should be stored either in /usr/share/keyrings or /etc/apt/keyrings.
however, you can also overwrite the existing key. I'm not a fan of this and still keep all (old) versions in the keyring..
Since you are all tinkering with your servers anyway, why don't you try deb822-style ;-)
$ cat /etc/apt/sources.list.d/tor.sources
Types: deb deb-src URIs: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torpro... URIs: https://deb.torproject.org/torproject.org Suites: bookworm Components: main Architectures: amd64 Signed-By: /etc/apt/keyrings/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.gpg
Interesting :)