[tor-dev] Distributing Tor developer keys via Fedora packages
andrew.p.clausen at gmail.com
Mon Jul 20 23:28:21 UTC 2020
On Mon, 20 Jul 2020 at 22:37, Matthew Finkel <sysrqb at torproject.org> wrote:
> > I propose distributing the Tor developer keys inside the Fedora package
> > distribution-gpg-keys. This would give most Linux users a trustworthy
> > chain of signatures from their own distributor (e.g. CentOS or Fedora) to
> > Tor project downloads.
> (most? :) )
I suspect so. I haven't checked if Debian/Ubuntu have keyrings for
Fedora. (Vice versa is certainly true.)
> > I am happy to take care of this, although I am also happy if somebody who
> > is more involved with Tor than me takes this on. I wrote a shell script
> > (attached) to acquire and organise the keys based on
> > https://2019.www.torproject.org/include/keys.txt. My script would
> > the following keys under /usr/share/distribution-gpg-keys/tor:
> Unfortuntately that file is very old and incorrect now.
That is unfortunate. Is there any sensible way that users can currently
verify signatures of their downloads? (Can I mimic that?)
> > The most obvious question is: how do I know that I am distributing
> > unadulterated keys? I think the answer is that I don't! But any attack
> > would have to affect a large group of people, and would be detected
> > as long as many people are looking at the distribution-gpg-keys package.
> > If this solution is unsatisfactory, then perhaps someone who is more
> > involved with the Tor developers -- and hence able to directly check the
> > keys -- ought to take this on.
> Yeah, if a package like this exists and it has tor's name attached to
> it, then we should have a high degree of confidence that the package
> contains the correct keys.
I'm not sure I understood what you mean. Are you worried about an attack?
Or just miscommunication?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-dev