[tor-bugs] #31292 [Applications]: please sign Tor releases with an OpenPGP tool that includes Issuer Fingerprint subpackets

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 30 16:53:41 UTC 2019 

#31292: please sign Tor releases with an OpenPGP tool that includes Issuer
Fingerprint subpackets
--------------------------+------------------------
 Reporter:  dkg           |          Owner:  (none)
     Type:  defect        |         Status:  new
 Priority:  Medium        |      Milestone:
Component:  Applications  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------

Comment (by dkg):

 it looks like all of them.

 If you fetch the signature, and feed it through `pgpdump` or `gpg --list-
 packets` you can see whether or not there is an issuer fingerprint packet
 or not.

 Example output of `gpg --list-packets` without an issuer fingerprint:

 ```
 # off=0 ctb=89 tag=2 hlen=3 plen=540
 :signature packet: algo 1, keyid 6AFEE6D49E92B601
         version 4, created 1556821409, md5len 0, sigclass 0x00
         digest algo 10, begin of digest d2 6c
         hashed subpkt 2 len 4 (sig created 2019-05-02)
         subpkt 16 len 8 (issuer key ID 6AFEE6D49E92B601)
         data: [4096 bits]
 ```

 Example with an issuer fingerprint subpacket:
 ```
 # off=0 ctb=89 tag=2 hlen=3 plen=626
 :signature packet: algo 1, keyid B97A1EE09DB417EC
         version 4, created 1562013678, md5len 0, sigclass 0x01
         digest algo 8, begin of digest e8 76
         hashed subpkt 33 len 21 (issuer fpr v4
 59A29DEA8D37388C656863DFB97A1EE09DB417EC)
         hashed subpkt 2 len 4 (sig created 2019-07-01)
         hashed subpkt 24 len 40 (preferred keyserver:
 https://metacode.biz/@wiktor/openpgp/key)
         hashed subpkt 28 len 19 (signer's user ID)
         subpkt 16 len 8 (issuer key ID B97A1EE09DB417EC)
         data: [4095 bits]
 ```

 You're looking for the `subpkt 33` line -- and, it's also better if it's a
 "hashed" subpacket, because that means it cannot be stripped without
 invalidating the signature.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31292#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list