Opened 3 years ago

Closed 3 years ago

#20948 closed defect (fixed)

Problem verifying source code - .asc file signed using 9E92B601, doc uses D40814E0

Reported by: EdwkA Owned by:
Priority: Immediate Milestone:
Component: - Select a component Version: Tor: 0.2.8.11
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Attachments (2)

tor-0.2.8.11.tar.gz.asc (801 bytes) - added by EdwkA 3 years ago.
asc file
key-transition-statement-2.txt (3.8 KB) - added by EdwkA 3 years ago.
key transition statement

Download all attachments as: .zip

Change History (6)

Changed 3 years ago by EdwkA

Attachment: tor-0.2.8.11.tar.gz.asc added

asc file

Changed 3 years ago by EdwkA

key transition statement

comment:1 Changed 3 years ago by EdwkA

source too big to attach.

comment:2 Changed 3 years ago by dcf

The key ID D40814E0 at https://www.torproject.org/docs/verifying-signatures.html.en is for verifying Tor Browser packages, not tor packages. The tor packages (without the browser) are signed with a different key.

See https://www.torproject.org/docs/signing-keys.html.en for the key to expect for tor packages; 9E92B601 is the right one:

Roger Dingledine (0x28988BF5 and 0x19F78451) or Nick Mathewson (0xFE43009C4607B1FB with signing key 0x6AFEE6D49E92B601) sign the Tor source code tarballs. (Nick's old key was 0x165733EA with signing key 0x8D29319A; it signed older tarballs.)

comment:3 Changed 3 years ago by EdwkA

thank you. PEBKAC: https://www.torproject.org/docs/verifying-signatures.html.en

https://www.torproject.org/docs/signing-keys.html.en
"For a list of which developer signs which package, see our signing keys page." (links to https://www.torproject.org/docs/signing-keys.html.en).

Missed it, even though I read it 3 times. Good to close.

comment:4 Changed 3 years ago by dgoulet

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.