[tor-relays] Archive key from deb.torproject.org was renewed!
telekobold
torproject-ml at telekobold.de
Fri Aug 2 15:16:06 UTC 2024
Hi boldsuck,
thank you for your messages and the explanations. To be honest, I wasn't
aware that the GPG key has to be updated manually every two years.
However, I still have a few comprehension questions:
On 16.07.24 14:03, boldsuck wrote:
> wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
What exactly is the purpose of "gpg --dearmor" and of "tee" here? Why
isn't is enough to just type
wget -qO-
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
> /usr/share/keyrings/tor-archive-keyring.gpg
?
I compared the output with and without the "gpg --dearmor" using diff,
it is exactly the same. And the only effect of tee is that the binary
output is also printed to the terminal. There is even something that is
interpreted as a line break at the end of the binary .gpg file so that
the terminal tries to execute "1;2c" which leads to an error. However,
with the shortened command, everything also works without errors.
>> apt-key -list /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
[...]
> Sorry, above is the key that is installed by the package
deb.torproject.org-keyring.
> gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg shows you
the one imported via wget.
On my relays (installed "the standard way" using the manuals at the
torproject.org website), both commands output the same GPG key with the
fingerprint
A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89
So, there seems to be no other Tor-related GPG key installed by the
package deb.torproject.org-keyring, just the GPG key manually installed
via the above wget command.
And finally, it would be nice if one could check the fingerprint of this
key on future physical Tor relay operators meetups like the one at the
Chaos Communication Camp. I'm not even sure if wget does any background
check based on a hierarchical certificate check of the TLS certificate
of torproject.org. If the TLS connection would be somehow corrupted at
the moment where one executed the wget command an attacker could corrupt
the whole relay, according to my understanding. Or do I have an error in
my thinking here?
Kind regards
telekobold
More information about the tor-relays
mailing list