On Fri, Jul 17, 2020 at 02:56:08PM +0100, Andrew Clausen wrote: > Hi everyone, >
Hi, Thanks for your interest in this. > I propose distributing the Tor developer keys inside the Fedora package > distribution-gpg-keys.[1] This would give most Linux users a trustworthy > chain of signatures from their own distributor (e.g. CentOS or Fedora) to > Tor project downloads. (most? :) ) > > I am happy to take care of this, although I am also happy if somebody who > is more involved with Tor than me takes this on. I wrote a shell script > (attached) to acquire and organise the keys based on > https://2019.www.torproject.org/include/keys.txt. My script would install > the following keys under /usr/share/distribution-gpg-keys/tor: Unfortuntately that file is very old and incorrect now. > > Arm_releases/Damian_Johnson.gpg > Tails_live_system_releases/The_Tails_team.gpg > TorBirdy_releases/Sukhbir_Singh.gpg > Tor_Browser_releases/Arthur_Edelstein.gpg > Tor_Browser_releases/Georg_Koppen.gpg > Tor_Browser_releases/Mike_Perry.gpg > Tor_Browser_releases/Nicolas_Vigier.gpg > Tor_Browser_releases/The_Tor_Browser_Developers.gpg > Tor_source_tarballs/Nick_Mathewson.gpg > Tor_source_tarballs/Roger_Dingledine.gpg > Torsocks_releases/David_Goulet.gpg > deb.torproject.org_repositories_and_archives/Tor_Project_Archive.gpg > older_Tor_tarballs/Nick_Mathewson.gpg > other/Peter_Palfrader.gpg > > Unless someone else volunteers (please do!), I will set up a weekly job to > run the script and alert me to any changes. > > Can anyone see any potential problems with this plan? > While this is a nice idea, creating a package like this would take more time than we currently have to spare right now. But, with that being said, we could probably automatically generate the package in a CI/CD pipeline when the right people become less overwhelmed. Luckily, project signing keys don't change very often (on the order of years), so if there is a desire for a package like this, then it would likely only be updated a couple times per year. I don't know who would upload it for distribution, though. > The most obvious question is: how do I know that I am distributing > unadulterated keys? I think the answer is that I don't! But any attack > would have to affect a large group of people, and would be detected quickly > as long as many people are looking at the distribution-gpg-keys package. > If this solution is unsatisfactory, then perhaps someone who is more > involved with the Tor developers -- and hence able to directly check the > keys -- ought to take this on. Yeah, if a package like this exists and it has tor's name attached to it, then we should have a high degree of confidence that the package contains the correct keys. Thanks, Matt _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
