[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Distributing Tor developer keys via Fedora packages



Hi everyone,

I propose distributing the Tor developer keys inside the Fedora package distribution-gpg-keys.[1]  This would give most Linux users a trustworthy chain of signatures from their own distributor (e.g. CentOS or Fedora) to Tor project downloads.

I am happy to take care of this, although I am also happy if somebody who is more involved with Tor than me takes this on.  I wrote a shell script (attached) to acquire and organise the keys based on https://2019.www.torproject.org/include/keys.txt.  My script would install the following keys under /usr/share/distribution-gpg-keys/tor:

Arm_releases/Damian_Johnson.gpg
Tails_live_system_releases/The_Tails_team.gpg
TorBirdy_releases/Sukhbir_Singh.gpg
Tor_Browser_releases/Arthur_Edelstein.gpg
Tor_Browser_releases/Georg_Koppen.gpg
Tor_Browser_releases/Mike_Perry.gpg
Tor_Browser_releases/Nicolas_Vigier.gpg
Tor_Browser_releases/The_Tor_Browser_Developers.gpg
Tor_source_tarballs/Nick_Mathewson.gpg
Tor_source_tarballs/Roger_Dingledine.gpg
Torsocks_releases/David_Goulet.gpg
deb.torproject.org_repositories_and_archives/Tor_Project_Archive.gpg
older_Tor_tarballs/Nick_Mathewson.gpg
other/Peter_Palfrader.gpg

Unless someone else volunteers (please do!), I will set up a weekly job to run the script and alert me to any changes.

Can anyone see any potential problems with this plan?

The most obvious question is: how do I know that I am distributing unadulterated keys?  I think the answer is that I don't!  But any attack would have to affect a large group of people, and would be detected quickly as long as many people are looking at the distribution-gpg-keys package.  If this solution is unsatisfactory, then perhaps someone who is more involved with the Tor developers -- and hence able to directly check the keys -- ought to take this on.

[1] See https://github.com/xsuchy/distribution-gpg-keys and https://rpmfind.net/linux/RPM/fedora/updates/32/x86_64/Packages/d/distribution-gpg-keys-1.39-1.fc32.noarch.html

Attachment: fetch
Description: Binary data

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev