[tor-bugs] #31296 [Webpages/Support]: simplify OpenPGP signature verification instructions
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 25 11:08:21 UTC 2019
#31296: simplify OpenPGP signature verification instructions
------------------------------+--------------------------
Reporter: dkg | Owner: ggus
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Webpages/Support | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+--------------------------
Comment (by boklm):
When fetching the torbrowser key with wkd using the command from
https://support.torproject.org/tbb/how-to-verify-signature/, I get the
following two subkeys:
{{{
pub rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key)
<torbrowser at torproject.org>
sub rsa4096/2D000988589839A3 2014-12-15 [S] [revoked: 2015-08-26]
sub rsa4096/EB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
}}}
One of them is a revoked subkey.
According to the `gpgv` manpage: "gpgv assumes that all keys in the
keyring are trustworthy. That does also mean that it does not check for
expired or revoked keys".
Does this mean that if a new Tor Browser release is signed with the
revoked subkey `EB774491D9FF06E2`, then gpgv will not complain? If so then
we probably need to add instructions explaining how to remove revoked
subkeys from the keyring.
As we regularly rotate the subkey we use for signing the releases, I think
we should also include on this page how to refresh the key (and how to
remove expired and revoked subkeys from the keyring, if gpgv would use
them without complaining).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list