Opened 7 months ago

Last modified 4 months ago

#27293 new defect

Expired core people's gpg keys

Reported by: traumschule Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: dmr, ahf, hiro, hellais, mo, saint, dawuud, donncha, micahlee Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Some key files on tpo / linked keys on the core people page are expired and should be re-uploaded. Following output was created with a script.

Child Tickets

Attachments (1)

tor-check-gpg-keys.sh (2.4 KB) - added by traumschule 7 months ago.

Download all attachments as: .zip

Change History (14)

Changed 7 months ago by traumschule

Attachment: tor-check-gpg-keys.sh added

comment:1 Changed 7 months ago by traumschule

Key files on tpo

(edit: removed email addresses, link to keyserver, added DonnchaC)

Last edited 7 months ago by traumschule (previous) (diff)

comment:2 Changed 7 months ago by traumschule

db.torproject.org

(edit: removed email addresses, removed dgoulet, added ahf, removed iwakeh)

Last edited 4 months ago by traumschule (previous) (diff)

comment:3 Changed 7 months ago by traumschule

Failed to read

(edit: removed functional links)

Last edited 4 months ago by traumschule (previous) (diff)

comment:4 Changed 7 months ago by atagar

Component: - Select a componentWebpages/Website

Thanks traumschule. I maintain the corepeople page but the content of individual entries (including the key) are the responsibility of those individuals. Expired keys has been discussed before but nothing really came of it so unsure what to suggest.

If you'd care to run a 'please update your key' campaign with those individuals I certainly wouldn't mind.

comment:5 Changed 7 months ago by traumschule

updated the script to directly link to the key pool (edit: no need to duplicate the list here)

Last edited 4 months ago by traumschule (previous) (diff)

comment:6 in reply to:  3 Changed 7 months ago by teor

Replying to traumschule:

Failed to read

...

This page links to https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc , which is ok for humans, even if your script doesn't like it.

The SSL certificate on this domain is only valid for github domains.
One possible URL is https://juga0.github.io/files/juga.asc

comment:7 Changed 7 months ago by dmr

Cc: dmr added

comment:8 Changed 7 months ago by traumschule

Reran the script, sent an email.

comment:9 Changed 7 months ago by mo

Thank you traumschule. My new key is 0x7A3DAD4408A0009B4DE9C855858EE1C3B8A4568D https://www.headstrong.de/0x7A3DAD4408A0009B4DE9C855858EE1C3B8A4568D.asc https://pgp.mit.edu/pks/lookup?search=0x7A3DAD4408A0009B4DE9C855858EE1C3B8A4568D&op=vindex&exact=on

Transition statement: https://www.headstrong.de/headstrong-transition-statement-2018-08-25.txt.asc

My new key and the transition statement are signed by the old key. It does not yet have a lot of direct signatures by other Tor people and I am not sure about the policy. I will bring paperslips with my fingerprint to Mexico.

I do not have an account on db.torproject.org.

Last edited 7 months ago by mo (previous) (diff)

comment:10 Changed 7 months ago by hellais

My latest key is published to pgp.mit.edu: http://pgp.mit.edu/pks/lookup?op=get&search=0x5D67CD18702287F4.

I don't remember how to update the key in db.torproject.org, but would be glad to do it if somebody gave me instructions on how to do it.

comment:11 Changed 7 months ago by traumschule

You can open a ticket for Internal Services/Tor Sysadmin Team with a signed statement like here: #26659

comment:12 in reply to:  10 Changed 7 months ago by boklm

Replying to hellais:

I don't remember how to update the key in db.torproject.org, but would be glad to do it if somebody gave me instructions on how to do it.

https://help.torproject.org/tsa/doc/accounts/#key-rollover

comment:13 Changed 4 months ago by traumschule

Cc: ahf hiro hellais mo saint dawuud donncha micahlee added

Reran the script and updated above. It seems some keys are updated in the pool but not on db.torproject.org, so it could be easily solved with a signed statement to refresh them on db.tpo.

Would be happy to shrink this list a bit more :)

Note: See TracTickets for help on using tickets.