[tor-bugs] #22637 [Webpages/Website]: Find a more maintainable approach for the signing-keys page
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Aug 11 22:17:43 UTC 2018
#22637: Find a more maintainable approach for the signing-keys page
------------------------------------------+--------------------------------
Reporter: arma | Owner: hiro
Type: defect | Status: accepted
Priority: Medium | Milestone: website
| redesign
Component: Webpages/Website | Version:
Severity: Normal | Resolution:
Keywords: website-content, website-bug | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------+--------------------------------
Comment (by traumschule):
This question came up in #tor today, I tried to answer (happy about
feedback):
> Hello all! I've been naively assuming to-date that @nickm signs all the
Tor source bundles, but it turns out that the latest one that I'm fetching
(3.3.9) is signed by Roger under C218525819F78451 - I'm wondering if
there's a resource I can read to understand who is/is-not a trusted
signer, please?
> You can install the deb.torproject.org-keyring package:
https://www.torproject.org/docs/debian.html.en
> The signing keys are on this page: https://www.torproject.org/docs
/signing-keys.html.en
> that's a really interesting idea ... though I am a little worried,
because this is on Raspbian / Raspberry Pi, and so that might not work.
> On Raspbian you could retrieve the source as explained at the link above
and run 'apt source deb.torproject.org-keyring'. Then the keyring is in
deb.torproject.org-keyring-2018.08.06/keyrings/deb.torproject.org-
keyring.gpg
> Torproject could improve the authenticity of the signing keys page by
actually signing it.
My proposal is to have a script referenced in the Makefile of webwml which
creates text file containing a signed statement of
[https://www.torproject.org/docs/signing-keys.html.en responsibilities]
with all valid fingerprints and subkeys. Including this in the website
would raise the credibility of the site a lite. Riseup uses a similar
process for their [https://riseup.net/en/security/network-
security/certificates TLS certificates].
{{{
# option 1: list all keyids
keys="0x4E2C6E8793298290 0x0E3A92E4 0x4B7C3223 0xD0220E4B 0x23291265
0xD752F538C0D38C3A 0x28988BF5 0x19F78451 0xFE43009C4607B1FB
0x6AFEE6D49E92B601 0x165733EA 0x8D29319A 0x886DDD89 0x9ABBEEC6 0x58ACD84F
0x42E86A2A11F48D36 0xB01C8B006DA77FAA 0xC82E0039 0xE1DEC577"
gpg --recv $keys
# option 2: import keys from a keyring
apt source deb.torproject.org-keyring
gpg --import deb.torproject.org-keyring-*/keyrings/deb.torproject.org-
keyring.gpg
# the exact options may differ
gpg --fingerprint $keys >> docs/en/signing-keys.txt
gpg --clearsign docs/en/signing-keys.txt
}}}
related: #21808, #23586
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22637#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list