[tor-bugs] #10495 [Website]: Better way - Leftover tor gpg signing key in the local user's gpg keychain in the documentation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Dec 27 09:43:46 UTC 2013
#10495: Better way - Leftover tor gpg signing key in the local user's gpg keychain
in the documentation
-------------------------+---------------------
Reporter: daffyduck | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Website | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+---------------------
{{{
Hi,
}}}
{{{
on this page:
https://www.torproject.org/docs/debian.html.en#ubuntu
}}}
{{{
You give these following two instructions for downloading the gpg signing
key and then using it for apt. This leaves the tor gpg signing key in the
local user's gpg keychain.
}}}
{{{
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
}}}
{{{
However, apt-key could do this in one command:
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 886DDD89
}}}
{{{
Now, I do not know if you have a reason to use two separate lines, maybe
you do not trust apt-key being run with sudo to fetch keys from a
keyserver.
}}}
{{{
If that is the case then you could tell users that they can remove the tor
signing key from the local keychain, since it is not used there.
}}}
{{{
gpg --delete-key 0x886DDD89
}}}
{{{
You could also fetch the key with wget and pipe it to apt-key directly,
which might be the cleanest solution of all:
}}}
{{{
wget -q 'http://keys.gnupg.net/pks/lookup?op=get&search=0x886DDD89' -O- |
sudo apt-key add -
}}}
{{{
This would also avoid the leftover tor gpg signing key in any user's local
gpg keychain.
}}}
{{{
BR
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10495>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list