[tor-bugs] #28971 [Applications/Tor Browser]: (Sub)key rotation sometimes break downstream projects

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 2 01:13:07 UTC 2019 

#28971: (Sub)key rotation sometimes break downstream projects
------------------------------------------+------------------------------
     Reporter:  ahf                       |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:  Tor: unspecified
    Component:  Applications/Tor Browser  |    Version:  Tor: unspecified
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+------------------------------
 Micah's Torbrowser Launcher (https://github.com/micahflee/torbrowser-
 launcher/) seems to be using the Tor Browser Teams' signing key
 (0x4E2C6E8793298290), but sometimes this key gets new sub-keys added,
 which isn't included by torbrowser-launcher in time before a new version
 of Tor Browser, which uses the new subkey for signing, is released.

 This leads to breakage for the user and a slightly worrying error message
 ("You might be under attack").

 1. Do we currently have a policy for the signing key (and subkeys) for
 when they are rotated/have new subkeys?
 2. Do we currently have a place where the new subkeys are announced? Does
 potential downstream maintainers have a reasonable amount of time to
 update their software to handle this key rotation?
 3. Do we have a location where torbrowser-launcher can fetch this PGP key
 automatically (maybe on TPO infrastructure for downstream maintainers to
 fetch and include in their code repositories?) It sounds like `gpg --recv-
 keys` sometimes fail?

 If the answers to some of the above questions are no, is that something we
 might want to change in the future?

 Related tickets from torbrowser-launcher:

 - https://github.com/micahflee/torbrowser-launcher/issues/349
 - https://github.com/micahflee/torbrowser-launcher/issues/358

 Related random forum post with the same issue from some distribution:

 - https://rebornos.freeforums.net/thread/36/pgp-signatures-verified-
 solved-fixed

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28971>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list