[tor-relays] Archive key from deb.torproject.org was renewed!
eff_03675549 at posteo.se
eff_03675549 at posteo.se
Sun Aug 11 12:06:36 UTC 2024
Hi all,
wait: I just installed a fresh relay and the torproject is still
outdated with the old keyring!
(I had to add sudo apt-key adv --recv-keys --keyserver keys.gnupg.net
74A941BA219EC810 to my script).
Isn't this insane given that new comers are going to install vulnerable
relays by default?
*how come the new installs still have to update?
*Carlos.
On 8/2/24 5:16 PM, telekobold wrote:
> Hi boldsuck,
>
> thank you for your messages and the explanations. To be honest, I
> wasn't aware that the GPG key has to be updated manually every two
> years. However, I still have a few comprehension questions:
>
> On 16.07.24 14:03, boldsuck wrote:
>
>> wget -qO-
>> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
>> | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg
>> >/dev/null
>
> What exactly is the purpose of "gpg --dearmor" and of "tee" here? Why
> isn't is enough to just type
> wget -qO-
> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
> > /usr/share/keyrings/tor-archive-keyring.gpg
> ?
> I compared the output with and without the "gpg --dearmor" using diff,
> it is exactly the same. And the only effect of tee is that the binary
> output is also printed to the terminal. There is even something that
> is interpreted as a line break at the end of the binary .gpg file so
> that the terminal tries to execute "1;2c" which leads to an error.
> However, with the shortened command, everything also works without
> errors.
>
> >> apt-key -list /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
> [...]
> > Sorry, above is the key that is installed by the package
> deb.torproject.org-keyring.
> > gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg shows
> you the one imported via wget.
>
> On my relays (installed "the standard way" using the manuals at the
> torproject.org website), both commands output the same GPG key with
> the fingerprint
> A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89
> So, there seems to be no other Tor-related GPG key installed by the
> package deb.torproject.org-keyring, just the GPG key manually
> installed via the above wget command.
>
>
> And finally, it would be nice if one could check the fingerprint of
> this key on future physical Tor relay operators meetups like the one
> at the Chaos Communication Camp. I'm not even sure if wget does any
> background check based on a hierarchical certificate check of the TLS
> certificate of torproject.org. If the TLS connection would be somehow
> corrupted at the moment where one executed the wget command an
> attacker could corrupt the whole relay, according to my understanding.
> Or do I have an error in my thinking here?
>
>
> Kind regards
> telekobold
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
PGP updated every second week : please actualize our communication every time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240811/d2594700/attachment.htm>
More information about the tor-relays
mailing list