[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30549 [Applications/Tor Browser]: Add script to remove expired sub-keys from a keyring file
#30549: Add script to remove expired sub-keys from a keyring file
--------------------------------------------+------------------------------
Reporter: boklm | Owner: tbb-team
Type: task | Status: needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201905R, tbb-rbm | Actual Points:
Parent ID: #30548 | Points:
Reviewer: | Sponsor:
--------------------------------------------+------------------------------
Changes (by boklm):
* keywords: TorBrowserTeam201905, tbb-rbm => TorBrowserTeam201905R, tbb-
rbm
* status: needs_revision => needs_review
Comment:
Replying to [comment:4 gk]:
> The `list-all-keyrings` scripts looks good to me. However, it does
sometimes weird things in that it only lists the `binutils` key and then
stops + it modifies it as well and I am left with a `binutils.gpg~` file.
I am still hunting for steps to repro that reliably... That's with GnuPG
2.2.13 ona Debian testing/unstable box in case it matters.
The issue with the `*.gpg~` files seems similar to #25435, which is fixed
by adding the flag `--no-auto-check-trustdb`. I added it to `list-all-
keyrings` and `drop-expired-sub-keys` in branch `bug_30549_v3`:
https://gitweb.torproject.org/user/boklm/tor-browser-
build.git/commit/?h=bug_30549_v3&id=0151dd050de272f32a690d39f5ba501220844df5
I am not sure what is the issue when it only lists binutils and stops.
>
> Regarding the `drop-expired-sub-keys` script:
>
> 1) The script does not differentiate between subkeys that are expired in
our `tor-browser-build` repo but are not expired in reality: there are
folks that just extend the expiration date from time to time instead of/in
addition to renewing keys.
>
> 2) The script should not touch keys that have no expired subkeys. When I
currently do something like `tools/keyring/drop-expired-sub-keys
keyring/zlib.gpg` then I get a modified `zlib.gpg` afterwards which I
should not get.
I think we should only run `drop-expired-sub-keys` in the cases where we
know it is actually needed.
The process would be something like this:
- Run `list-all-keyrings` to see if we include any expired key/sub-key.
Then for each expired key/sub-key:
- Check if the expiration is expected, and do nothing in that case.
- Check if the owner of that key/sub-key extended it, and in that case add
the updated key/sub-key.
- If the sub-key is not needed anymore, use `drop-expired-sub-keys` to
remove it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30549#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs