[tor-dev] Public Key Chaos

thomas.hluchnik at netcologne.de thomas.hluchnik at netcologne.de
Thu Jan 11 11:24:09 UTC 2018

Am Wednesday 10 January 2018 17:37:57 schrieb Azat Khuzhin:

> Nick suggested me to upload my key to repo (github), to make people know
> that at least I have admin rights to that repo.
> But now I remembered, that my github account has attached gpg key to it,
> you can see it here:
>   https://github.com/libevent/libevent/releases/tag/release-2.1.8-stable
> Does this enough for your needs?

No, not really. Let's assume, an evil 3rd party is redirecting my download (by DNS spoofing or that), using a fake web server certificate. This would enable the attacker to exchange the libevent package + the checksum files + signature file. This fake signing key could be uploaded to the key servers by them, pretending it were your personal key. If I would trust in that, the tor network would be in danger. TOR executables would rely on insecure shared libraries.

The only way for establishing trust is: the signature must be created with a GPG key which was signed by other trustworthy persons. For example, Nick's key is signed by many people since many years. So I have no doubt that files which are signed with that key are really from Nick. If he signs your key, then I can trust in files, signed with your key.

If you are going to sign more packages in the future, don't hesitate to collect further signatures from other trustworthy persons or organizations.

Best Regards, Thomas Hluchnik

More information about the tor-dev mailing list