[tor-bugs] #28971 [Applications/Tor Browser]: (Sub)key rotation sometimes break downstream projects

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 8 11:59:10 UTC 2019 

#28971: (Sub)key rotation sometimes break downstream projects
--------------------------------------+----------------------------------
 Reporter:  ahf                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:  Tor: unspecified
Component:  Applications/Tor Browser  |        Version:  Tor: unspecified
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+----------------------------------

Comment (by gk):

 We have a policy even though it is not written down yet.

 Assuming we are not aware of any key compromise the master key's expiry
 date will get updated once it is about to run out and new subkeys get
 rotated once their expiry date is about to run out. "Is about to run out"
 is a bit vague but the idea is to make sure the current stable release is
 always signed with an up-to-date and unexpired key.

 To address ahf's second question: Yes, the new subkeys are always
 announced both on the first stable and alpha blogpost for releases which
 are signed with the new keys. In particular, for downstream projects like
 torbrowser-launcher the *alpha* blog posts are relevant here as they
 introduce new keys *months* before they reach the stable series. We test
 the new subkey during a bunch of alpha releases before it is used for
 stable, too.

 For the third question: I don't know about a location for the (new) keys.
 I make sure that `gpg --recv-keys` is working before using the new key and
 am under the assumption that getting the key via any other web request
 would be failing, too, if the gpg command is failing. That said, I am fine
 if someone wants to put the Tor Browser signing keys fetched via `gpg
 --recv-keys` at some other place for easy download.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28971#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list