[tor-relays] Archive key from deb.torproject.org was renewed!
rhatto
rhatto at torproject.org
Wed Jul 17 16:43:46 UTC 2024
On Tue, Jul 16, 2024 at 05:01:09PM +0300, Martin Gebhardt via tor-relays wrote:
> >> wget -qO-https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
> >
> > Is the name important?
>
> I assume it's Debian? The onfiguration of the signing key and the repo is configured in Debian (and Ubuntu?) via source.list, see $man 5 sources.list.
>
> In most cases this will look something like this:
> $ cat /etc/apt/sources.list.d/tor.list
>
> deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
> deb-src [signed-by=/etc/apt/trusted.gpg.d/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
>
> You can place the key anywhere that ‘apt’ can access, you only need to change the path in the source file.
I would recommend placing it at /usr/share/keyrings/deb.torproject.org-keyring.gpg,
but only if you don't have the deb.torproject.org-keyring package already installed:
1. On a fresh system, manually download the key to
/usr/share/keyrings/deb.torproject.org-keyring.gpg.
2. Then configure sources.list, install apt-transport-https etc.
3. Finally, install the deb.torproject.org-keyring package.
It will overwrite /usr/share/keyrings/deb.torproject.org-keyring.gpg
with the version from the package.
Afterwards, you won't have to manually update the key once a new version
is available: it will be upgraded whenever a new
deb.torproject.org-keyring package version is installed.
I have created a merge request to update the documentation in order to
recommend this: https://gitlab.torproject.org/tpo/web/support/-/merge_requests/220
> Note, however, that for keys that are not managed by a package or the package manager itself, they should be stored either in /usr/share/keyrings or /etc/apt/keyrings.
>
> however, you can also overwrite the existing key. I'm not a fan of this and still keep all (old) versions in the keyring..
>
> Since you are all tinkering with your servers anyway, why don't you try deb822-style ;-)
>
> $ cat /etc/apt/sources.list.d/tor.sources
>
> Types: deb deb-src
> URIs: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org
> URIs: https://deb.torproject.org/torproject.org
> Suites: bookworm
> Components: main
> Architectures: amd64
> Signed-By: /etc/apt/keyrings/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.gpg
Interesting :)
--
Silvio Rhatto
pronouns he/him
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240717/1179043b/attachment.sig>
More information about the tor-relays
mailing list