[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #28971 [Applications/Tor Browser]: (Sub)key rotation sometimes break downstream projects
#28971: (Sub)key rotation sometimes break downstream projects
------------------------------------------+------------------------------
Reporter: ahf | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone: Tor: unspecified
Component: Applications/Tor Browser | Version: Tor: unspecified
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+------------------------------
Micah's Torbrowser Launcher (https://github.com/micahflee/torbrowser-
launcher/) seems to be using the Tor Browser Teams' signing key
(0x4E2C6E8793298290), but sometimes this key gets new sub-keys added,
which isn't included by torbrowser-launcher in time before a new version
of Tor Browser, which uses the new subkey for signing, is released.
This leads to breakage for the user and a slightly worrying error message
("You might be under attack").
1. Do we currently have a policy for the signing key (and subkeys) for
when they are rotated/have new subkeys?
2. Do we currently have a place where the new subkeys are announced? Does
potential downstream maintainers have a reasonable amount of time to
update their software to handle this key rotation?
3. Do we have a location where torbrowser-launcher can fetch this PGP key
automatically (maybe on TPO infrastructure for downstream maintainers to
fetch and include in their code repositories?) It sounds like `gpg --recv-
keys` sometimes fail?
If the answers to some of the above questions are no, is that something we
might want to change in the future?
Related tickets from torbrowser-launcher:
- https://github.com/micahflee/torbrowser-launcher/issues/349
- https://github.com/micahflee/torbrowser-launcher/issues/358
Related random forum post with the same issue from some distribution:
- https://rebornos.freeforums.net/thread/36/pgp-signatures-verified-
solved-fixed
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28971>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs