[tor-bugs] #11299 [Tor bundles/installation]: Improve the key management for the TBB package signing process
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 24 21:39:02 UTC 2014
#11299: Improve the key management for the TBB package signing process
--------------------------------------+-----------------------
Reporter: mikeperry | Owner: erinn
Type: project | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Actual Points:
Parent ID: | Points:
--------------------------------------+-----------------------
We need to improve how we handle the individual package signing (currently
done by Erinn) to eliminate bottlenecks and to allow us to fully rotate
release duties.
Ideally, we would have a hardware signing token on a dedicated machine, so
we can track the signature count of releases and ensure there is no
possibility of rogue signatures. I have a token I can mail to someone for
this purpose.
We'll need Erinn's key to sign this new key as well as announce this key,
and list it on the keys page, to reduce potential confusion.
We also need to find a dedicated, secure machine to attach this token (or
to hold a software key).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11299>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list