[tor-dev] Distributing Tor developer keys via Fedora packages
sysrqb at torproject.org
Mon Jul 20 21:37:04 UTC 2020
On Fri, Jul 17, 2020 at 02:56:08PM +0100, Andrew Clausen wrote:
> Hi everyone,
Thanks for your interest in this.
> I propose distributing the Tor developer keys inside the Fedora package
> distribution-gpg-keys. This would give most Linux users a trustworthy
> chain of signatures from their own distributor (e.g. CentOS or Fedora) to
> Tor project downloads.
(most? :) )
> I am happy to take care of this, although I am also happy if somebody who
> is more involved with Tor than me takes this on. I wrote a shell script
> (attached) to acquire and organise the keys based on
> https://2019.www.torproject.org/include/keys.txt. My script would install
> the following keys under /usr/share/distribution-gpg-keys/tor:
Unfortuntately that file is very old and incorrect now.
> Unless someone else volunteers (please do!), I will set up a weekly job to
> run the script and alert me to any changes.
> Can anyone see any potential problems with this plan?
While this is a nice idea, creating a package like this would take more
time than we currently have to spare right now. But, with that being
said, we could probably automatically generate the package in a CI/CD
pipeline when the right people become less overwhelmed. Luckily, project
signing keys don't change very often (on the order of years), so if
there is a desire for a package like this, then it would likely only be
updated a couple times per year. I don't know who would upload it for
> The most obvious question is: how do I know that I am distributing
> unadulterated keys? I think the answer is that I don't! But any attack
> would have to affect a large group of people, and would be detected quickly
> as long as many people are looking at the distribution-gpg-keys package.
> If this solution is unsatisfactory, then perhaps someone who is more
> involved with the Tor developers -- and hence able to directly check the
> keys -- ought to take this on.
Yeah, if a package like this exists and it has tor's name attached to
it, then we should have a high degree of confidence that the package
contains the correct keys.
More information about the tor-dev