[tor-dev] Distributing Tor developer keys via Fedora packages
Andrew Clausen
andrew.p.clausen at gmail.com
Fri Jul 17 13:56:08 UTC 2020
Hi everyone,
I propose distributing the Tor developer keys inside the Fedora package
distribution-gpg-keys.[1] This would give most Linux users a trustworthy
chain of signatures from their own distributor (e.g. CentOS or Fedora) to
Tor project downloads.
I am happy to take care of this, although I am also happy if somebody who
is more involved with Tor than me takes this on. I wrote a shell script
(attached) to acquire and organise the keys based on
https://2019.www.torproject.org/include/keys.txt. My script would install
the following keys under /usr/share/distribution-gpg-keys/tor:
Arm_releases/Damian_Johnson.gpg
Tails_live_system_releases/The_Tails_team.gpg
TorBirdy_releases/Sukhbir_Singh.gpg
Tor_Browser_releases/Arthur_Edelstein.gpg
Tor_Browser_releases/Georg_Koppen.gpg
Tor_Browser_releases/Mike_Perry.gpg
Tor_Browser_releases/Nicolas_Vigier.gpg
Tor_Browser_releases/The_Tor_Browser_Developers.gpg
Tor_source_tarballs/Nick_Mathewson.gpg
Tor_source_tarballs/Roger_Dingledine.gpg
Torsocks_releases/David_Goulet.gpg
deb.torproject.org_repositories_and_archives/Tor_Project_Archive.gpg
older_Tor_tarballs/Nick_Mathewson.gpg
other/Peter_Palfrader.gpg
Unless someone else volunteers (please do!), I will set up a weekly job to
run the script and alert me to any changes.
Can anyone see any potential problems with this plan?
The most obvious question is: how do I know that I am distributing
unadulterated keys? I think the answer is that I don't! But any attack
would have to affect a large group of people, and would be detected quickly
as long as many people are looking at the distribution-gpg-keys package.
If this solution is unsatisfactory, then perhaps someone who is more
involved with the Tor developers -- and hence able to directly check the
keys -- ought to take this on.
[1] See https://github.com/xsuchy/distribution-gpg-keys and
https://rpmfind.net/linux/RPM/fedora/updates/32/x86_64/Packages/d/distribution-gpg-keys-1.39-1.fc32.noarch.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200717/0c1e4f20/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fetch
Type: application/octet-stream
Size: 468 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200717/0c1e4f20/attachment.obj>
More information about the tor-dev
mailing list