[tor-dev] Distributing Tor developer keys via Fedora packages

Matthew Finkel sysrqb at torproject.org
Mon Jul 20 21:37:04 UTC 2020 

On Fri, Jul 17, 2020 at 02:56:08PM +0100, Andrew Clausen wrote:
> Hi everyone,
> 

Hi,

Thanks for your interest in this.

> I propose distributing the Tor developer keys inside the Fedora package
> distribution-gpg-keys.[1]  This would give most Linux users a trustworthy
> chain of signatures from their own distributor (e.g. CentOS or Fedora) to
> Tor project downloads.

(most? :) )

> 
> I am happy to take care of this, although I am also happy if somebody who
> is more involved with Tor than me takes this on.  I wrote a shell script
> (attached) to acquire and organise the keys based on
> https://2019.www.torproject.org/include/keys.txt.  My script would install
> the following keys under /usr/share/distribution-gpg-keys/tor:

Unfortuntately that file is very old and incorrect now.

> 
> Arm_releases/Damian_Johnson.gpg
> Tails_live_system_releases/The_Tails_team.gpg
> TorBirdy_releases/Sukhbir_Singh.gpg
> Tor_Browser_releases/Arthur_Edelstein.gpg
> Tor_Browser_releases/Georg_Koppen.gpg
> Tor_Browser_releases/Mike_Perry.gpg
> Tor_Browser_releases/Nicolas_Vigier.gpg
> Tor_Browser_releases/The_Tor_Browser_Developers.gpg
> Tor_source_tarballs/Nick_Mathewson.gpg
> Tor_source_tarballs/Roger_Dingledine.gpg
> Torsocks_releases/David_Goulet.gpg
> deb.torproject.org_repositories_and_archives/Tor_Project_Archive.gpg
> older_Tor_tarballs/Nick_Mathewson.gpg
> other/Peter_Palfrader.gpg
> 
> Unless someone else volunteers (please do!), I will set up a weekly job to
> run the script and alert me to any changes.
> 
> Can anyone see any potential problems with this plan?
> 

While this is a nice idea, creating a package like this would take more
time than we currently have to spare right now. But, with that being
said, we could probably automatically generate the package in a CI/CD
pipeline when the right people become less overwhelmed. Luckily, project
signing keys don't change very often (on the order of years), so if
there is a desire for a package like this, then it would likely only be
updated a couple times per year. I don't know who would upload it for
distribution, though.

> The most obvious question is: how do I know that I am distributing
> unadulterated keys?  I think the answer is that I don't!  But any attack
> would have to affect a large group of people, and would be detected quickly
> as long as many people are looking at the distribution-gpg-keys package.
> If this solution is unsatisfactory, then perhaps someone who is more
> involved with the Tor developers -- and hence able to directly check the
> keys -- ought to take this on.

Yeah, if a package like this exists and it has tor's name attached to
it, then we should have a high degree of confidence that the package
contains the correct keys.

Thanks,
Matt

More information about the tor-dev mailing list