[tor-project] Problems fetching Debian package archive signing key (0xEE8CBC9E886DDD89)

Matthew Finkel matthew.finkel at gmail.com
Fri Feb 22 16:04:57 UTC 2019

On Mon, Feb 04, 2019 at 07:27:32PM -0600, Daniel Kahn Gillmor wrote:
> the keyserver network is, sadly, showing its age.  Its flaws have been
> known within the community for years, and a few proposals have surfaced
> for offering a replacement, but the sks software is difficult to
> maintain (idiosyncratic ocaml) and deploying larger changes in a
> coordinated way across a globally-syncing network is even more
> difficult. :(
> On Mon 2019-02-04 17:00:56 -0500, Roger Dingledine wrote:
> > Thanks Matt. I've been answering a couple of people a day in #tor who are
> > confused by this issue. As a stopgap, I've changed the instructions page:
> > https://www.torproject.org/docs/debian
> > to point people to a keyserver that doesn't (currently) have this bug.
> hm, this documentation is still out of date.  modern best practices
> would not involve using "apt-key add -", but instead use a Signed-By
> option (see sources.list(5)) that point to an otherwise untrusted
> curated keyring.

That sounds great.

> > Ultimately, I wonder if we should start providing a full keyring (text
> > file) that people can download from our website and import for themselves.
> you can see a good writeup by anarcat here of modern best practices for
> a debian repository anchored by such a downloaded key:
>     https://wiki.debian.org/DebianRepository/UseThirdParty
> If you want to get even smoother, other projects just ship a
> *-archive-keyring package directly in debian itself, which enables
> pretty easy expansion from mainline debian to a third-party repository,
> without the local user having to do any manual cryptographic
> verification.

I don't know if the sysadmin team already considered this, and decided
against it for some reason. It sure would be nice having a simpler
process for this.

> I don't think anyone would object to tor-archive-keyring in debian.  If
> anyone's interested in doing this, please let me know, i'd be happy to
> provide some guidance on the safest way to do this for versions of
> debian starting with the current stable ("stretch").
>        --dkg
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

More information about the tor-project mailing list