[tor-dev] Distributing Tor developer keys via Fedora packages

Andrew Clausen andrew.p.clausen at gmail.com
Mon Jul 20 23:28:21 UTC 2020


Hi Matt,

On Mon, 20 Jul 2020 at 22:37, Matthew Finkel <sysrqb at torproject.org> wrote:

> > I propose distributing the Tor developer keys inside the Fedora package
> > distribution-gpg-keys.[1]  This would give most Linux users a trustworthy
> > chain of signatures from their own distributor (e.g. CentOS or Fedora) to
> > Tor project downloads.
>
> (most? :) )
>

I suspect so.  I haven't checked if Debian/Ubuntu have keyrings for
Fedora.  (Vice versa is certainly true.)


> > I am happy to take care of this, although I am also happy if somebody who
> > is more involved with Tor than me takes this on.  I wrote a shell script
> > (attached) to acquire and organise the keys based on
> > https://2019.www.torproject.org/include/keys.txt.  My script would
> install
> > the following keys under /usr/share/distribution-gpg-keys/tor:
>
> Unfortuntately that file is very old and incorrect now.
>

That is unfortunate.  Is there any sensible way that users can currently
verify signatures of their downloads?  (Can I mimic that?)


> > The most obvious question is: how do I know that I am distributing
> > unadulterated keys?  I think the answer is that I don't!  But any attack
> > would have to affect a large group of people, and would be detected
> quickly
> > as long as many people are looking at the distribution-gpg-keys package.
> > If this solution is unsatisfactory, then perhaps someone who is more
> > involved with the Tor developers -- and hence able to directly check the
> > keys -- ought to take this on.
>
> Yeah, if a package like this exists and it has tor's name attached to
> it, then we should have a high degree of confidence that the package
> contains the correct keys.
>

I'm not sure I understood what you mean.  Are you worried about an attack?
Or just miscommunication?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200721/3660f372/attachment.htm>


More information about the tor-dev mailing list