[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Archive key from deb.torproject.org was renewed - mind the * deb * !

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Archive key from deb.torproject.org was renewed - mind the * deb * !
From: eff_03675549@xxxxxxxxx
Date: Sun, 11 Aug 2024 13:20:01 +0000
Autocrypt: addr=eff_03675549@xxxxxxxxx; keydata= xjMEZluC2RYJKwYBBAHaRw8BAQdA9gfCtHu9G4Kd/UdOcF9B0Xl45dljKGxrg9w7WhEwCRfN H0NhcmxvcyA8ZWZmXzAzNjc1NTQ5QHBvc3Rlby5zZT7CjwQTFggANxYhBG+BefEdGZf0jICS LDIM6oMLD0nbBQJmW4LZBQkDwmcAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQMgzqgwsPSdu4 9wEA6z1VGetxPqVTJouSEhW3oKh/ooBqY9TL8tn/amuaIlABAM0dA8lAPja8q8LQXmbmQQnH UJTqN6KD1ATvPP6qbloBzjgEZluC2RIKKwYBBAGXVQEFAQEHQBZ+GKvjv/yUF8py8N5NA6rS FpZHJRJnPFTXX+X7wTIWAwEIB8J+BBgWCAAmFiEEb4F58R0Zl/SMgJIsMgzqgwsPSdsFAmZb gtkFCQPCZwACGwwACgkQMgzqgwsPSdudpgD/Tpqti/JA/9tZDq+V0r3k5mQQKl/TfHJkP5dM wWPwPuYBAPeTgyJ7RPYhChyo7H2XrzTQQt9JEt8kKxVKEIjtQ5YN
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Aug 2024 09:52:24 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.se; s=2017; t=1723382469; bh=IEQZiwHt+yskMIdCJJdjaAXMY7VMmfCfa2yqeRiZZWQ=; h=Content-Type:Message-ID:Date:MIME-Version:Subject:From:To: Autocrypt:From; b=cowvl/0bgdOtQgyCBM/JV/cNW57ZZVIFcAbKaPV2RHmF8EJMB3gQCQaBl5i2F6X20 9CQvdlcEJ+G9s/4erRyNd6PsL0emCc9FE1ligHVSUs7xkr9BQXaVk55M5MiZNy3ECz WWmJ24rxdkdcoB+yKfqzonyQzZUCUGWLYR9Nip1LIgmZJMRQtjxFkud5XH4JatA4DN qfnKz7x5K5r2bZKN2InLGaYski/EU3wrk5OXMkd5sSQ+GSVFP2qhjHRHev+qYYd88E 7qRr/rh6Q4w1AVNa0Xw3Vtk0bT1MLhvvkSuUUC35E2UMfPjdSTcGWLdwFGbNJ9717V Usai3bcVnRrnw==
In-reply-to: <fe9ec266-15a4-43fc-b2ec-0beddc47e96c@posteo.se>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <3656958.hdfAi7Kttb@t520> <ab632414-4cb0-4736-8952-80c7643c4a12@telekobold.de> <fe9ec266-15a4-43fc-b2ec-0beddc47e96c@posteo.se>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

OK, I code-solved my own misery :

This change is an improvement YET really the subtle minor 3-lettered increment is UNobvious to people like I:

BE VERY CAUTIOUS of the * D.E.B * novelty in the tor.list file:

echo 'deb [signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main' >> ../../etc/apt/sources.list.d/tor.list
echo 'deb-src [signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main' >> ../../etc/apt/sources.list.d/tor.list

................................below...................................above.....................................................above.......................................................................................................................below
and associated command:
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/deb.tor-archive-keyring.gpg >/dev/null

sooo, unbovious.

Question is: how many relays are now running an out-dated gpg keyring?

Carlos.

On 8/11/24 2:06 PM, eff_03675549@xxxxxxxxx wrote:

Hi all,

wait: I just installed a fresh relay and the torproject is still outdated with the old keyring!
(I had to add sudo apt-key adv --recv-keys --keyserver keys.gnupg.net 74A941BA219EC810 to my script).

Isn't this insane given that new comers are going to install vulnerable relays by default?

how come the new installs still have to update?

Carlos.

On 8/2/24 5:16 PM, telekobold wrote:

Hi boldsuck,

thank you for your messages and the explanations. To be honest, I wasn't aware that the GPG key has to be updated manually every two years. However, I still have a few comprehension questions:

On 16.07.24 14:03, boldsuck wrote:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

What exactly is the purpose of "gpg --dearmor" and of "tee" here? Why isn't is enough to just type
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc > /usr/share/keyrings/tor-archive-keyring.gpg
?
I compared the output with and without the "gpg --dearmor" using diff, it is exactly the same. And the only effect of tee is that the binary output is also printed to the terminal. There is even something that is interpreted as a line break at the end of the binary .gpg file so that the terminal tries to execute "1;2c" which leads to an error. However, with the shortened command, everything also works without errors.

>> apt-key -list /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
[...]
> Sorry, above is the key that is installed by the package deb.torproject.org-keyring.
> gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg shows you the one imported via wget.

On my relays (installed "the standard way" using the manuals at the torproject.org website), both commands output the same GPG key with the fingerprint
A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89
So, there seems to be no other Tor-related GPG key installed by the package deb.torproject.org-keyring, just the GPG key manually installed via the above wget command.

And finally, it would be nice if one could check the fingerprint of this key on future physical Tor relay operators meetups like the one at the Chaos Communication Camp. I'm not even sure if wget does any background check based on a hierarchical certificate check of the TLS certificate of torproject.org. If the TLS connection would be somehow corrupted at the moment where one executed the wget command an attacker could corrupt the whole relay, according to my understanding. Or do I have an error in my thinking here?

Kind regards
telekobold
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- 
PGP updated every second week : please actualize our communication every time.

-- 
PGP updated every second week : please actualize our communication every time.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Archive key from deb.torproject.org was renewed - mind the * deb * !
  - From: boldsuck

References:
- Re: [tor-relays] Archive key from deb.torproject.org was renewed!
  - From: telekobold
- Re: [tor-relays] Archive key from deb.torproject.org was renewed!
  - From: eff_03675549

Prev by Author: [tor-relays] 2024 : time to stop using Telegram (e.g. in Bridge line communication.).
Next by Author: Re: [tor-relays] DDOS alerts from my provider
Previous by thread: Re: [tor-relays] Archive key from deb.torproject.org was renewed!
Next by thread: Re: [tor-relays] Archive key from deb.torproject.org was renewed - mind the * deb * !
Index(es):
- Author
- Thread