[tor-bugs] #31296 [Webpages/Support]: simplify OpenPGP signature verification instructions

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 25 11:08:21 UTC 2019


#31296: simplify OpenPGP signature verification instructions
------------------------------+--------------------------
 Reporter:  dkg               |          Owner:  ggus
     Type:  defect            |         Status:  reopened
 Priority:  Medium            |      Milestone:
Component:  Webpages/Support  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+--------------------------

Comment (by boklm):

 When fetching the torbrowser key with wkd using the command from
 https://support.torproject.org/tbb/how-to-verify-signature/, I get the
 following two subkeys:
 {{{
 pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
       EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
 uid                 [ unknown] Tor Browser Developers (signing key)
 <torbrowser at torproject.org>
 sub   rsa4096/2D000988589839A3 2014-12-15 [S] [revoked: 2015-08-26]
 sub   rsa4096/EB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
 }}}

 One of them is a revoked subkey.

 According to the `gpgv` manpage: "gpgv assumes that all keys in the
 keyring are trustworthy.  That does also mean that it does not check for
 expired or revoked keys".

 Does this mean that if a new Tor Browser release is signed with the
 revoked subkey `EB774491D9FF06E2`, then gpgv will not complain? If so then
 we probably need to add instructions explaining how to remove revoked
 subkeys from the keyring.

 As we regularly rotate the subkey we use for signing the releases, I think
 we should also include on this page how to refresh the key (and how to
 remove expired and revoked subkeys from the keyring, if gpgv would use
 them without complaining).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list