Opened 16 months ago

Closed 7 months ago

#27293 closed defect (wontfix)

Expired core people's gpg keys

Reported by: traumschule Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: dmr, ahf, hiro, hellais, mo, saint, dawuud, donncha, micahlee Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Some key files on tpo / linked keys on the core people page are expired and should be re-uploaded. Following output was created with a script.

Child Tickets

Attachments (1)

tor-check-gpg-keys.sh (2.4 KB) - added by traumschule 16 months ago.

Download all attachments as: .zip

Change History (15)

Changed 16 months ago by traumschule

Attachment: tor-check-gpg-keys.sh added

comment:1 Changed 16 months ago by traumschule

Key files on tpo

(edit: removed email addresses, link to keyserver, added DonnchaC)

Last edited 16 months ago by traumschule (previous) (diff)

comment:2 Changed 16 months ago by traumschule

db.torproject.org

(edit: removed email addresses, removed dgoulet, added ahf, removed iwakeh)

Last edited 13 months ago by traumschule (previous) (diff)

comment:3 Changed 16 months ago by traumschule

Failed to read

(edit: removed functional links)

Last edited 13 months ago by traumschule (previous) (diff)

comment:4 Changed 16 months ago by atagar

Component: - Select a componentWebpages/Website

Thanks traumschule. I maintain the corepeople page but the content of individual entries (including the key) are the responsibility of those individuals. Expired keys has been discussed before but nothing really came of it so unsure what to suggest.

If you'd care to run a 'please update your key' campaign with those individuals I certainly wouldn't mind.

comment:5 Changed 16 months ago by traumschule

updated the script to directly link to the key pool (edit: no need to duplicate the list here)

Last edited 13 months ago by traumschule (previous) (diff)

comment:6 in reply to:  3 Changed 16 months ago by teor

Replying to traumschule:

Failed to read

...

This page links to https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc , which is ok for humans, even if your script doesn't like it.

The SSL certificate on this domain is only valid for github domains.
One possible URL is https://juga0.github.io/files/juga.asc

comment:7 Changed 16 months ago by dmr

Cc: dmr added

comment:8 Changed 16 months ago by traumschule

Reran the script, sent an email.

comment:9 Changed 16 months ago by mo

Thank you traumschule. My new key is 0x7A3DAD4408A0009B4DE9C855858EE1C3B8A4568D https://www.headstrong.de/0x7A3DAD4408A0009B4DE9C855858EE1C3B8A4568D.asc https://pgp.mit.edu/pks/lookup?search=0x7A3DAD4408A0009B4DE9C855858EE1C3B8A4568D&op=vindex&exact=on

Transition statement: https://www.headstrong.de/headstrong-transition-statement-2018-08-25.txt.asc

My new key and the transition statement is signed by the old key. It does not yet have a lot of direct signatures by other Tor people and I am not sure about the policy. I will bring paperslips with my fingerprint to Mexico.

I do not have an account on db.torproject.org.

Version 0, edited 16 months ago by mo (next)

comment:10 Changed 16 months ago by hellais

My latest key is published to pgp.mit.edu: http://pgp.mit.edu/pks/lookup?op=get&search=0x5D67CD18702287F4.

I don't remember how to update the key in db.torproject.org, but would be glad to do it if somebody gave me instructions on how to do it.

comment:11 Changed 16 months ago by traumschule

You can open a ticket for Internal Services/Tor Sysadmin Team with a signed statement like here: #26659

comment:12 in reply to:  10 Changed 16 months ago by boklm

Replying to hellais:

I don't remember how to update the key in db.torproject.org, but would be glad to do it if somebody gave me instructions on how to do it.

https://help.torproject.org/tsa/doc/accounts/#key-rollover

comment:13 Changed 13 months ago by traumschule

Cc: ahf hiro hellais mo saint dawuud donncha micahlee added

Reran the script and updated above. It seems some keys are updated in the pool but not on db.torproject.org, so it could be easily solved with a signed statement to refresh them on db.tpo.

Would be happy to shrink this list a bit more :)

comment:14 Changed 7 months ago by hiro

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.