[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Archive key from deb.torproject.org was renewed!

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Archive key from deb.torproject.org was renewed!
From: rhatto <rhatto@xxxxxxxxxxxxxx>
Date: Wed, 17 Jul 2024 13:43:46 -0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 17 Jul 2024 13:00:38 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=torproject.org; s=2022-eugeni; t=1721235632; bh=hfl3RXJar26FsraPGlRH+1OmZdlaGkfFOfquApqzdXE=; h=Date:From:To:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Reply-To:From; b=ZmZjEx4KBRbGEgJQ/P2z84NQCOJKhXiDBF5UBfZmGcolXR7bd4aABNEqr8P0cHnkk pvpgFtPIlgueB6N4mubZfDOkWzHuc1aFMnjQWgqc6/ikngc5Xfb0NyeyBETNrjfvw3 snIiTLR4r06vvzuY7nivOTIZK3SeMpFenHKMzaNMibVzeD4PBNaKHjot1t9jreWTiE rApuqpHYDLMoFpJj+hjI7FUi3LkHLfh1nHYFnaPCnKn1jWjANYbCpsBFXk9Or+hcXy raypaf5wW32CZR1r4BDmchMijrJvmy5SXvvBKAU2dvhGjZp7+WmUyp99+kWF2U9Mab 1eLCE5Ydp+t/A==
In-reply-to: <73F69D7F-FFB8-4983-8E2A-F045B9519EA4@sdf.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <3656958.hdfAi7Kttb@t520> <370da6a9-c01a-4ac1-b4b5-9ad72cc3927d@gmx.de> <73F69D7F-FFB8-4983-8E2A-F045B9519EA4@sdf.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Jul 16, 2024 at 05:01:09PM +0300, Martin Gebhardt via tor-relays wrote:
> >> wget -qO-https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc  | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
> > 
> > Is the name important?
> 
> I assume it's Debian? The onfiguration of the signing key and the repo is configured in Debian (and Ubuntu?) via source.list, see $man 5 sources.list. 
> 
> In most cases this will look something like this: 
> $ cat /etc/apt/sources.list.d/tor.list
> 
> deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
> deb-src [signed-by=/etc/apt/trusted.gpg.d/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
> 
> You can place the key anywhere that ‘apt’ can access, you only need to change the path in the source file.

I would recommend placing it at /usr/share/keyrings/deb.torproject.org-keyring.gpg,
but only if you don't have the deb.torproject.org-keyring package already installed:

1. On a fresh system, manually download the key to
   /usr/share/keyrings/deb.torproject.org-keyring.gpg.

2. Then configure sources.list, install apt-transport-https etc.

3. Finally, install the deb.torproject.org-keyring package.
   It will overwrite /usr/share/keyrings/deb.torproject.org-keyring.gpg
   with the version from the package.

Afterwards, you won't have to manually update the key once a new version
is available: it will be upgraded whenever a new
deb.torproject.org-keyring package version is installed.

I have created a merge request to update the documentation in order to
recommend this: https://gitlab.torproject.org/tpo/web/support/-/merge_requests/220

> Note, however, that for keys that are not managed by a package or the package manager itself, they should be stored either in /usr/share/keyrings or /etc/apt/keyrings.
> 
> however, you can also overwrite the existing key. I'm not a fan of this and still keep all (old) versions in the keyring..
> 
> Since you are all tinkering with your servers anyway, why don't you try deb822-style ;-)
> 
> $ cat /etc/apt/sources.list.d/tor.sources
> 
> Types: deb deb-src
> URIs: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org
> URIs: https://deb.torproject.org/torproject.org
> Suites: bookworm
> Components: main
> Architectures: amd64
> Signed-By: /etc/apt/keyrings/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.gpg

Interesting :)

-- 
Silvio Rhatto
pronouns he/him

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Archive key from deb.torproject.org was renewed!
  - From: boldsuck

References:
- [tor-relays] Archive key from deb.torproject.org was renewed!
  - From: boldsuck
- Re: [tor-relays] Archive key from deb.torproject.org was renewed!
  - From: Toralf Förster via tor-relays
- Re: [tor-relays] Archive key from deb.torproject.org was renewed!
  - From: Martin Gebhardt via tor-relays

Prev by Author: [tor-relays] DDOS alerts from my provider
Next by Author: Re: [tor-relays] Seeking Advice on Running Multiple Tor Relays or A Bridge
Previous by thread: Re: [tor-relays] Archive key from deb.torproject.org was renewed!
Next by thread: Re: [tor-relays] Archive key from deb.torproject.org was renewed!
Index(es):
- Author
- Thread