Opened 6 years ago

Closed 5 years ago

#10495 closed enhancement (wontfix)

Better way - Leftover tor gpg signing key in the local user's gpg keychain in the documentation

Reported by: daffyduck Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hi,
on this page:
https://www.torproject.org/docs/debian.html.en#ubuntu
You give these following two instructions for downloading the gpg signing key and then using it for apt. This leaves the tor gpg signing key in the local user's gpg keychain.
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
However, apt-key could do this in one command:
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys 886DDD89
Now, I do not know if you have a reason to use two separate lines, maybe you do not trust apt-key being run with sudo to fetch keys from a keyserver.
If that is the case then you could tell users that they can remove the tor signing key from the local keychain, since it is not used there.
gpg --delete-key 0x886DDD89
You could also fetch the key with wget and pipe it to apt-key directly, which might be the cleanest solution of all:
wget -q 'http://keys.gnupg.net/pks/lookup?op=get&search=0x886DDD89' -O- | sudo apt-key add -
This would also avoid the leftover tor gpg signing key in any user's local gpg keychain.
BR

Child Tickets

Change History (1)

comment:1 Changed 5 years ago by Sebastian

Resolution: wontfix
Status: newclosed

All the solutions that never put the key into the user's keychain are insecure, because gpg never checks that it actually got the right key reliably. Having one more key in the keyring isn't an issue as far as I'm concerned. Please reopen if I'm overlooking a problem

Note: See TracTickets for help on using tickets.