Opened 9 years ago

Closed 7 years ago

#2617 closed task (wontfix)

Add GPG keys to website, remove dependency on keyservers

Reported by: confident Owned by: phobos
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords: key
Cc: proper@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The following page doesn't have your actual public keys, only directions on how to verify signatures.

https://www.torproject.org/docs/verifying-signatures.html.en

But when the download from the key server fails using your method, it becomes impossible to verify the signatures because we don't have the keys.

Please post your keys on your web site. It will help people to be able to verify your signatures.

Thank you for your effort.

Child Tickets

Change History (7)

comment:1 Changed 9 years ago by phobos

Status: newaccepted

Did you try hkp://keys.gnupg.net? Our keys are published there. Most other keyservers are broken in various ways. hkp://pool.sks-keyservers.net also works.

comment:2 Changed 9 years ago by phobos

Resolution: user disappeared
Status: acceptedclosed

comment:3 Changed 7 years ago by proper

Cc: proper@… added
Resolution: user disappeared
Status: closedreopened
Summary: no PGP keysAdd GPG keys to website, remove dependency to keyservers

I reopen this as a feature request, not as a bug report/support request.

Keyserver was down yesterday again. It's also difficult to run GPG over Tor and httpS.
Not sure how realistic is is, that the remaining keyservers get censored in China, Iran, etc.?

All keys on the website would also allow to script download of Tor software (Tor Browser etc.) in a secure manner. (Get gpg key from tpo over https, download, verifiy gpg.)

Proposed possible solutions:
1) Add all GPG keys to https://www.torproject.org/docs/signing-keys.html.en copy and paste friendly. In case keyserver is offline or for other user cases.

2) Make a new site with all GPG keys in plain text format and link it.

3) Everyone person/project who is listed on https://www.torproject.org/docs/signing-keys.html.en gets it's own homepage. That's already partial done. The person/project adds it's GPG key to that site. It depends on whether they the are interested in such a homepage and keeping their key current.

(Related ticket, no duplicate: #5606)

comment:4 Changed 7 years ago by proper

Summary: Add GPG keys to website, remove dependency to keyserversAdd GPG keys to website, remove dependency on keyservers

comment:5 Changed 7 years ago by phobos

Priority: criticalnormal

which keyserver was down yesterday? neither of the suggested ones were down for me.

comment:6 Changed 7 years ago by proper

"gpg --keyserver keys.gnupg.net --recv 886DDD89" wasn't reachable for a few hours.

comment:7 Changed 7 years ago by phobos

Resolution: wontfix
Status: reopenedclosed

The keyserver infrastructure works fine. The relevant keys are kept up to date in the keyserver infrastructure. Maintaining more files on the website isn't smart. Closing this as we won't implement.

Note: See TracTickets for help on using tickets.