[tor-bugs] #31292 [Applications]: please sign Tor releases with an OpenPGP tool that includes Issuer Fingerprint subpackets
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 30 16:23:31 UTC 2019
#31292: please sign Tor releases with an OpenPGP tool that includes Issuer
Fingerprint subpackets
------------------------------+--------------------
Reporter: dkg | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------
The OpenPGP signatures on distributed tor software currently have only an
unhashed "issuer" subpacket, which contains only the 64-bit keyid of the
public key used to create the signature.
Modern versions of GnuPG (version 2.1.16 or later) produce an "issuer
fingerprint" subpacket in each signature by default, which includes the
full fingerprint of the issuing public key.
The "issuer fingerprint" subpacket provides a much stronger linkage
between the signature and the OpenPGP key used to make it.
This is not a core security concern -- that is, lack of an "issuer
fingerprint" subpacket doesn't make it possible to forge signatures or do
anything comparably serious -- but the story we tell about verifying
signatures is cleaner if the full fingerprint is present in each
signature.
If it is possible to upgrade the version of GnuPG (or any other modern
OpenPGP implementation) that signs Tor releases to one that generates
these subpackets, that would be a good thing.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31292>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list