[tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 19 12:18:06 UTC 2013
#5463: BridgeDB must GPG-sign outgoing mails
--------------------------+----------------------------
Reporter: rransom | Owner: isis
Type: defect | Status: assigned
Priority: major | Milestone:
Component: BridgeDB | Version:
Resolution: | Keywords: bridgegb-email
Actual Points: | Parent ID:
Points: |
--------------------------+----------------------------
Changes (by isis):
* status: needs_information => assigned
* keywords: important => bridgegb-email
* owner: => isis
* priority: critical => major
Comment:
I wrote several tests for the functionality of this, and I'll spare the
details, but python-gpgme is a horrible, horrible monster and we should
not be using it.
Essentially, the TravisCI builds are failing right now (with TESTING gpg
keys in place, and EMAIL_GPG_SIGN_KEY and enabled) simply because gpgme,
when you do:
{{{
gpgme.Context().import_(open(cfg.EMAIL_GPG_SIGN_KEY))
}}}
doesn't import that key. Instead, it imports ''every key in the EUID's
home directory''. For the continuous integration tests, this means that
(because the `tor` package from the Debian repositories is installed as
part of the CI build script) the `deb.torproject.org archive signing key`
ends up as the first key, gpgme tries to sign a test email with it, and
craps its pants.
It is about 50 lines of code to iterate though the fingerprint of every
uid of every key and find the one that matches the signing subkey...I
don't trust this thing. I think it is buggy and poorly designed and way
too many things are going to go wrong with it. Perhaps this is just me
complaining because I spent a good three months last year writing a python
gnupg module, but I would actually be worried to deploy using python-
gpgme. I've not yet assessed how much work it would be to replace it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5463#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list