[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Distributing Tor developer keys via Fedora packages



Hi Matt,

On Mon, 20 Jul 2020 at 22:37, Matthew Finkel <sysrqb@xxxxxxxxxxxxxx> wrote:
> I propose distributing the Tor developer keys inside the Fedora package
> distribution-gpg-keys.[1]  This would give most Linux users a trustworthy
> chain of signatures from their own distributor (e.g. CentOS or Fedora) to
> Tor project downloads.

(most? :) )

I suspect so.  I haven't checked if Debian/Ubuntu have keyrings for Fedora.  (Vice versa is certainly true.)
 
> I am happy to take care of this, although I am also happy if somebody who
> is more involved with Tor than me takes this on.  I wrote a shell script
> (attached) to acquire and organise the keys based on
> https://2019.www.torproject.org/include/keys.txt.  My script would install
> the following keys under /usr/share/distribution-gpg-keys/tor:

Unfortuntately that file is very old and incorrect now.

That is unfortunate.  Is there any sensible way that users can currently verify signatures of their downloads?  (Can I mimic that?)
 
> The most obvious question is: how do I know that I am distributing
> unadulterated keys?  I think the answer is that I don't!  But any attack
> would have to affect a large group of people, and would be detected quickly
> as long as many people are looking at the distribution-gpg-keys package.
> If this solution is unsatisfactory, then perhaps someone who is more
> involved with the Tor developers -- and hence able to directly check the
> keys -- ought to take this on.

Yeah, if a package like this exists and it has tor's name attached to
it, then we should have a high degree of confidence that the package
contains the correct keys.

I'm not sure I understood what you mean.  Are you worried about an attack?  Or just miscommunication?
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev