Hi everyone,
I propose distributing the Tor developer keys inside the Fedora package distribution-gpg-keys.[1] This would give most Linux users a trustworthy chain of signatures from their own distributor (e.g. CentOS or Fedora) to Tor project downloads.
I am happy to take care of this, although I am also happy if somebody who is more involved with Tor than me takes this on. I wrote a shell script (attached) to acquire and organise the keys based on
https://2019.www.torproject.org/include/keys.txt. My script would install the following keys under /usr/share/distribution-gpg-keys/tor:
Arm_releases/Damian_Johnson.gpg
Tails_live_system_releases/The_Tails_team.gpg
TorBirdy_releases/Sukhbir_Singh.gpg
Tor_Browser_releases/Arthur_Edelstein.gpg
Tor_Browser_releases/Georg_Koppen.gpg
Tor_Browser_releases/Mike_Perry.gpg
Tor_Browser_releases/Nicolas_Vigier.gpg
Tor_Browser_releases/The_Tor_Browser_Developers.gpg
Tor_source_tarballs/Nick_Mathewson.gpg
Tor_source_tarballs/Roger_Dingledine.gpg
Torsocks_releases/David_Goulet.gpg
deb.torproject.org_repositories_and_archives/Tor_Project_Archive.gpg
older_Tor_tarballs/Nick_Mathewson.gpg
other/Peter_Palfrader.gpg
Unless someone else volunteers (please do!), I will set up a weekly job to run the script and alert me to any changes.
Can anyone see any potential problems with this plan?
The most obvious question is: how do I know that I am distributing unadulterated keys? I think the answer is that I don't! But any attack would have to affect a large group of people, and would be detected quickly as long as many people are looking at the distribution-gpg-keys package. If this solution is unsatisfactory, then perhaps someone who is more involved with the Tor developers -- and hence able to directly check the keys -- ought to take this on.