[tor-project] Problems fetching Debian package archive signing key (0xEE8CBC9E886DDD89)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Feb 5 01:27:32 UTC 2019

the keyserver network is, sadly, showing its age.  Its flaws have been
known within the community for years, and a few proposals have surfaced
for offering a replacement, but the sks software is difficult to
maintain (idiosyncratic ocaml) and deploying larger changes in a
coordinated way across a globally-syncing network is even more
difficult. :(

On Mon 2019-02-04 17:00:56 -0500, Roger Dingledine wrote:
> Thanks Matt. I've been answering a couple of people a day in #tor who are
> confused by this issue. As a stopgap, I've changed the instructions page:
> https://www.torproject.org/docs/debian
> to point people to a keyserver that doesn't (currently) have this bug.

hm, this documentation is still out of date.  modern best practices
would not involve using "apt-key add -", but instead use a Signed-By
option (see sources.list(5)) that point to an otherwise untrusted
curated keyring.

> Ultimately, I wonder if we should start providing a full keyring (text
> file) that people can download from our website and import for themselves.

you can see a good writeup by anarcat here of modern best practices for
a debian repository anchored by such a downloaded key:


If you want to get even smoother, other projects just ship a
*-archive-keyring package directly in debian itself, which enables
pretty easy expansion from mainline debian to a third-party repository,
without the local user having to do any manual cryptographic

I don't think anyone would object to tor-archive-keyring in debian.  If
anyone's interested in doing this, please let me know, i'd be happy to
provide some guidance on the safest way to do this for versions of
debian starting with the current stable ("stretch").


More information about the tor-project mailing list