[tor-relays] Archive key from deb.torproject.org was renewed - mind the * deb * !

eff_03675549 at posteo.se eff_03675549 at posteo.se
Sun Aug 11 13:20:01 UTC 2024 

OK, I code-solved my own misery :


This change is an improvement YET really the subtle minor 3-lettered 
increment is UNobvious to people like I:

BE VERY CAUTIOUS of the   * D.E.B * novelty in the tor.list file:

echo 'deb [signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg] 
https://deb.torproject.org/torproject.org <DISTRIBUTION> main' >> 
../../etc/apt/sources.list.d/tor.list
echo 'deb-src 
[signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg] 
https://deb.torproject.org/torproject.org <DISTRIBUTION> main' >> 
../../etc/apt/sources.list.d/tor.list

................................below...................................above.....................................................above.......................................................................................................................below
and associated command:
wget -qO- 
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc 
| gpg --dearmor | sudo tee 
/usr/share/keyrings/deb.tor-archive-keyring.gpg >/dev/null


sooo, unbovious.

Question is: how many relays are now running an out-dated gpg keyring?

Carlos.


On 8/11/24 2:06 PM, eff_03675549 at posteo.se wrote:
>
> Hi all,
>
> wait: I just installed a fresh relay and the torproject is still 
> outdated with the old keyring!
> (I had to add sudo apt-key adv --recv-keys --keyserver keys.gnupg.net  
> 74A941BA219EC810 to my script).
>
> Isn't this insane given that new comers are going to install 
> vulnerable relays by default?
>
> *how come the new installs still have to update?
>
> *Carlos.
>
>
>
> On 8/2/24 5:16 PM, telekobold wrote:
>> Hi boldsuck,
>>
>> thank you for your messages and the explanations. To be honest, I 
>> wasn't aware that the GPG key has to be updated manually every two 
>> years. However, I still have a few comprehension questions:
>>
>> On 16.07.24 14:03, boldsuck wrote:
>>
>>> wget -qO- 
>>> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc 
>>> | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg 
>>> >/dev/null
>>
>> What exactly is the purpose of "gpg --dearmor" and of "tee" here? Why 
>> isn't is enough to just type
>> wget -qO- 
>> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc 
>> > /usr/share/keyrings/tor-archive-keyring.gpg
>> ?
>> I compared the output with and without the "gpg --dearmor" using 
>> diff, it is exactly the same. And the only effect of tee is that the 
>> binary output is also printed to the terminal. There is even 
>> something that is interpreted as a line break at the end of the 
>> binary .gpg file so that the terminal tries to execute "1;2c" which 
>> leads to an error. However, with the shortened command, everything 
>> also works without errors.
>>
>> >> apt-key -list /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
>> [...]
>> > Sorry, above is the key that is installed by the package 
>> deb.torproject.org-keyring.
>> > gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg shows 
>> you the one imported via wget.
>>
>> On my relays (installed "the standard way" using the manuals at the 
>> torproject.org website), both commands output the same GPG key with 
>> the fingerprint
>> A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D DD89
>> So, there seems to be no other Tor-related GPG key installed by the 
>> package deb.torproject.org-keyring, just the GPG key manually 
>> installed via the above wget command.
>>
>>
>> And finally, it would be nice if one could check the fingerprint of 
>> this key on future physical Tor relay operators meetups like the one 
>> at the Chaos Communication Camp. I'm not even sure if wget does any 
>> background check based on a hierarchical certificate check of the TLS 
>> certificate of torproject.org. If the TLS connection would be somehow 
>> corrupted at the moment where one executed the wget command an 
>> attacker could corrupt the whole relay, according to my 
>> understanding. Or do I have an error in my thinking here?
>>
>>
>> Kind regards
>> telekobold
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> -- 
> PGP updated every second week : please actualize our communication every time.

-- 
PGP updated every second week : please actualize our communication every time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240811/40b774b1/attachment.htm>

More information about the tor-relays mailing list