[tbb-dev] New Signing PGP Subkey
Matthew Finkel
sysrqb at torproject.org
Tue Dec 14 15:52:40 UTC 2021
On Tue, Dec 14, 2021 at 03:32:33AM -0500, Roger Dingledine wrote:
> On Tue, Dec 14, 2021 at 02:15:27AM +0000, Matthew Finkel wrote:
> > Please be aware that a new PGP subkey will be used for signing Tor
> > Browser packages beginning with Tor Browser 11.5a1.
> >
> > Please refresh your keychain from keys.openpgp.org, as needed.
>
> Thanks Matt.
>
> What's the story with the torbrowserlauncher package these days? Should
> we expect another round of users reporting that they're being
> man-in-the-middled, because torbrowserlauncher is surprised by this new
> key and logs scary error messages? If yes, now that we see it coming,
> is there anything we can do to smooth its arrival, like pushing an update
> to that package?
The situation is better. If torbrowser-launcher has an old key in its
keyring and it can't verify the signature then it should automatically
refresh the signing key from Tor's WKD:
https://github.com/micahflee/torbrowser-launcher/pull/586
>
> I am cc'ing Micah in case he knows the answer by now too. :)
>
> --Roger
>
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
More information about the tbb-dev
mailing list