[prev in list] [next in list] [prev in thread] [next in thread]
List: tor-dev
Subject: Re: [tor-dev] Distributing Tor developer keys via Fedora packages
From: Andrew Clausen <andrew.p.clausen () gmail ! com>
Date: 2020-07-20 23:28:21
Message-ID: CAAXZBWKn=_ovR4aQtJfGbz767h-vv_PwHJX6Comc1=5Uy6HdKQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Matt,
On Mon, 20 Jul 2020 at 22:37, Matthew Finkel <sysrqb@torproject.org> wrote:
> > I propose distributing the Tor developer keys inside the Fedora package
> > distribution-gpg-keys.[1] This would give most Linux users a trustworthy
> > chain of signatures from their own distributor (e.g. CentOS or Fedora) to
> > Tor project downloads.
>
> (most? :) )
>
I suspect so. I haven't checked if Debian/Ubuntu have keyrings for
Fedora. (Vice versa is certainly true.)
> > I am happy to take care of this, although I am also happy if somebody who
> > is more involved with Tor than me takes this on. I wrote a shell script
> > (attached) to acquire and organise the keys based on
> > https://2019.www.torproject.org/include/keys.txt. My script would
> install
> > the following keys under /usr/share/distribution-gpg-keys/tor:
>
> Unfortuntately that file is very old and incorrect now.
>
That is unfortunate. Is there any sensible way that users can currently
verify signatures of their downloads? (Can I mimic that?)
> > The most obvious question is: how do I know that I am distributing
> > unadulterated keys? I think the answer is that I don't! But any attack
> > would have to affect a large group of people, and would be detected
> quickly
> > as long as many people are looking at the distribution-gpg-keys package.
> > If this solution is unsatisfactory, then perhaps someone who is more
> > involved with the Tor developers -- and hence able to directly check the
> > keys -- ought to take this on.
>
> Yeah, if a package like this exists and it has tor's name attached to
> it, then we should have a high degree of confidence that the package
> contains the correct keys.
>
I'm not sure I understood what you mean. Are you worried about an attack?
Or just miscommunication?
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr">Hi Matt,<br></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Mon, 20 Jul 2020 at 22:37, Matthew Finkel <<a \
href="mailto:sysrqb@torproject.org">sysrqb@torproject.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> I propose \
distributing the Tor developer keys inside the Fedora package<br> > \
distribution-gpg-keys.[1] This would give most Linux users a trustworthy<br> > \
chain of signatures from their own distributor (e.g. CentOS or Fedora) to<br> > \
Tor project downloads.<br> <br>
(most? :) )<br></blockquote><div><br></div><div>I suspect so. I haven't checked \
if Debian/Ubuntu have keyrings for Fedora. (Vice versa is certainly \
true.)<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px \
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> > I am \
happy to take care of this, although I am also happy if somebody who<br> > is more \
involved with Tor than me takes this on. I wrote a shell script<br> > (attached) \
to acquire and organise the keys based on<br> > <a \
href="https://2019.www.torproject.org/include/keys.txt" rel="noreferrer" \
target="_blank">https://2019.www.torproject.org/include/keys.txt</a>. My script \
would install<br> > the following keys under \
/usr/share/distribution-gpg-keys/tor:<br> <br>
Unfortuntately that file is very old and incorrect \
now.<br></blockquote><div><br></div><div>That is unfortunate. Is there any sensible \
way that users can currently verify signatures of their downloads? (Can I mimic \
that?)<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px \
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> The most \
obvious question is: how do I know that I am distributing<br> > unadulterated \
keys? I think the answer is that I don't! But any attack<br> > would have \
to affect a large group of people, and would be detected quickly<br> > as long as \
many people are looking at the distribution-gpg-keys package.<br> > If this \
solution is unsatisfactory, then perhaps someone who is more<br> > involved with \
the Tor developers -- and hence able to directly check the<br> > keys -- ought to \
take this on.<br> <br>
Yeah, if a package like this exists and it has tor's name attached to<br>
it, then we should have a high degree of confidence that the package<br>
contains the correct keys.<br></blockquote></div><div \
class="gmail_quote"><br></div><div class="gmail_quote">I'm not sure I understood \
what you mean. Are you worried about an attack? Or just \
miscommunication?</div></div>
_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic