[tor-bugs] #22637 [Webpages/Website]: Find a more maintainable approach for the signing-keys page

[Tor Bug Tracker & Wiki]

#22637: Find a more maintainable approach for the signing-keys page
------------------------------------------+--------------------------------
 Reporter:  arma                          |          Owner:  hiro
     Type:  defect                        |         Status:  accepted
 Priority:  Medium                        |      Milestone:  website
                                          |  redesign
Component:  Webpages/Website              |        Version:
 Severity:  Normal                        |     Resolution:
 Keywords:  website-content, website-bug  |  Actual Points:
Parent ID:                                |         Points:
 Reviewer:                                |        Sponsor:
------------------------------------------+--------------------------------

Comment (by traumschule):

 This question came up in #tor today, I tried to answer (happy about
 feedback):

 > Hello all! I've been naively assuming to-date that @nickm signs all the
 Tor source bundles, but it turns out that the latest one that I'm fetching
 (3.3.9) is signed by Roger under C218525819F78451 - I'm wondering if
 there's a resource I can read to understand who is/is-not a trusted
 signer, please?

 > You can install the deb.torproject.org-keyring package:
 https://www.torproject.org/docs/debian.html.en
 > The signing keys are on this page: https://www.torproject.org/docs
 /signing-keys.html.en

 > that's a really interesting idea ... though I am a little worried,
 because this is on Raspbian / Raspberry Pi, and so that might not work.

 > On Raspbian you could retrieve the source as explained at the link above
 and run 'apt source deb.torproject.org-keyring'. Then the keyring is in
 deb.torproject.org-keyring-2018.08.06/keyrings/deb.torproject.org-
 keyring.gpg
 > Torproject could improve the authenticity of the signing keys page by
 actually signing it.

 My proposal is to have a script referenced in the Makefile of webwml which
 creates text file containing a signed statement of
 [https://www.torproject.org/docs/signing-keys.html.en responsibilities]
 with all valid fingerprints and subkeys. Including this in the website
 would raise the credibility of the site a lite. Riseup uses a similar
 process for their [https://riseup.net/en/security/network-
 security/certificates TLS certificates].

 {{{
 # option 1: list all keyids
 keys="0x4E2C6E8793298290 0x0E3A92E4 0x4B7C3223 0xD0220E4B 0x23291265
 0xD752F538C0D38C3A 0x28988BF5 0x19F78451 0xFE43009C4607B1FB
 0x6AFEE6D49E92B601 0x165733EA 0x8D29319A 0x886DDD89 0x9ABBEEC6 0x58ACD84F
 0x42E86A2A11F48D36 0xB01C8B006DA77FAA 0xC82E0039 0xE1DEC577"
 gpg --recv $keys

 # option 2: import keys from a keyring
 apt source deb.torproject.org-keyring
 gpg --import deb.torproject.org-keyring-*/keyrings/deb.torproject.org-
 keyring.gpg

 # the exact options may differ
 gpg --fingerprint $keys >> docs/en/signing-keys.txt
 gpg --clearsign docs/en/signing-keys.txt
 }}}

 related: #21808, #23586

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22637#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online