Opened 3 years ago

Closed 3 years ago

#20391 closed defect (fixed)

Invalid Nick Mathewson key in Tor Wiki

Reported by: tmpname0901 Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Page https://www.torproject.org/docs/signing-keys.html.en shows Nick Mathewson's old PGP key, not the current one. It is the current key that is used to sign the Tor source tarballs.

See here: http://www.wangafu.net/~nickm/key-transition-statement-2.txt.asc

Also, since the Wiki page will be edited, it would be nice if instruction on using the Tor public key were on the page. When verifying the tarball I get this:

$ gpg --verify tor-0.2.8.9.tar.gz.asc
gpg: Signature made Mon 17 Oct 2016 08:16:09 PM UTC using RSA key ID 8D29319A
gpg: Can't check signature: public key not found
gpg: Signature made Mon 17 Oct 2016 08:16:09 PM UTC using RSA key ID 9E92B601
gpg: Good signature from "Nick Mathewson <nickm@…>"
gpg: aka "Nick Mathewson <nickm@…>"
gpg: aka "Nick Mathewson <nickm@…>"
gpg: aka "Nick Mathewson <nickm@…>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB

Subkey fingerprint: 7A02 B352 1DC7 5C54 2BA0 1545 6AFE E6D4 9E92 B601

Note the "Can't check signature: public key not found" above.

Child Tickets

Change History (1)

comment:1 Changed 3 years ago by nickm

Component: Internal Services/WikiUser Experience/Website
Resolution: fixed
Status: newclosed

See my email about key transition here:

https://lists.torproject.org/pipermail/tor-dev/2016-October/011576.html

And the key transition statement here:

https://people.torproject.org/~nickm/key-transition-statement-2.txt.asc

You're seeing the "can't check signature, public not found" message because that release is signed with both my old key and my new key: you have the new one, but not the old one, so it's only checking one of the fingerprints. I'm not going to double-sign in the future, since apparently it's a kludge that doesn't work very well.

I've updated the webpage to list both keys.

Note: See TracTickets for help on using tickets.