Opened 14 months ago

Last modified 13 months ago

#27699 new task

Release teams: please verify the website lists the correct key

Reported by: traumschule Owned by:
Priority: Medium Milestone:
Component: Applications Version:
Severity: Normal Keywords:
Cc: atagar, arma Actual Points:
Parent ID: #22637 Points:
Reviewer: Sponsor:

Description

With #22637 we generate https://www.torproject.org/docs/verifying-signatures.html from https://www.torproject.org/include/keys.txt.

Please confirm, that the correct key is listed.

Child Tickets

TicketStatusOwnerSummaryComponent
#27698closedAdd new Tor Browser subkey to verifying signatures websiteWebpages/Website
#28302closedhiroUpdate nickm's signing key on signing-keys pageWebpages/Website

Change History (6)

comment:1 Changed 14 months ago by traumschule

Parent ID: #22637

comment:2 Changed 14 months ago by boklm

My key was wrong, so I fixed it with commit c14cc6e77333e8536574d4b09bfbbeb9996290a2.

What was the source for the keys in include/keys.txt? The previous page was listing the correct key, so I'm wondering how the wrong key got added to include/keys.txt.

comment:3 Changed 14 months ago by boklm

Cc: boklm added

comment:4 in reply to:  2 ; Changed 14 months ago by traumschule

Replying to boklm:

My key was wrong, so I fixed it with commit c14cc6e77333e8536574d4b09bfbbeb9996290a2.

What was the source for the keys in include/keys.txt? The previous page was listing the correct key, so I'm wondering how the wrong key got added to include/keys.txt.

gk's commit 2fa3225325efb70dbb181b598061be2f6379cf7d. I had replaced the short id with the long one.

$ git log docs/en/signing-keys.wml
commit afb8219eaccb2cedb6d21e12ee84136b58133f5d
Author: traumschule <traumschuleriebau@riseup.net>
Date:   Sat Sep 1 04:46:15 2018 +0200

    signing-keys: generate fingerprints from script (#22637)
    
      To update docs/en/singing-keys.wmi execute the perl script
      docs/en/update_signing-keys.pl and commit include/keys.wmi
    
      Signing keys are stored in include/keys.txt

commit 2fa3225325efb70dbb181b598061be2f6379cf7d
Author: Georg Koppen <gk@torproject.org>
Date:   Mon Jun 4 09:11:53 2018 +0000

    Bug 26044: Add new Tor Browser signing sub key

$ git show 2fa3225325efb70dbb181b598061be2f6379cf7d
commit 2fa3225325efb70dbb181b598061be2f6379cf7d
Author: Georg Koppen <gk@torproject.org>
Date:   Mon Jun 4 09:11:53 2018 +0000

    Bug 26044: Add new Tor Browser signing sub key

diff --git a/docs/en/signing-keys.wml b/docs/en/signing-keys.wml
index 4bd3e350..d08b4033 100644
--- a/docs/en/signing-keys.wml
+++ b/docs/en/signing-keys.wml
@@ -14,7 +14,7 @@
 
     <p>The signing keys we use are:</p>
     <ul>
-    <li>The Tor Browser Developers (0x93298290),
+    <li>The Tor Browser Developers (0x4E2C6E8793298290),
     Mike Perry (0x0E3A92E4), Georg Koppen (0x4B7C3223),
     Nicolas Vigier (0xD0220E4B), Linus Nordberg (0x23291265)
     and Arthur Edelstein (0xD752F538C0D38C3A)
@@ -130,9 +130,8 @@
     pub   4096R/0x4E2C6E8793298290 2014-12-15 [expires: 2020-08-24]
           Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     uid   Tor Browser Developers (signing key) &lt;torbrowser@torproject.org&gt;
-    sub   4096R/0x2E1AC68ED40814E0 2014-12-15 [expires: 2017-08-25]
-    sub   4096R/0x7017ADCEF65C2036 2014-12-15 [expires: 2017-08-25]
     sub   4096R/0xD1483FA6C3C07136 2016-08-24 [expires: 2018-08-24]
+    sub   4096R/0xEB774491D9FF06E2 2018-05-26 [expires: 2020-09-12]
 
     pub   2048R/0x42E86A2A11F48D36 2011-05-11 [expires: 2017-05-09]
           Key fingerprint = B744 17ED DF22 AC9F 9E90  F491 42E8 6A2A 11F4 8D36

$ git show c14cc6e77333e8536574d4b09bfbbeb9996290a2
commit c14cc6e77333e8536574d4b09bfbbeb9996290a2 (HEAD -> master, upstream/master)
Author: Nicolas Vigier <boklm@torproject.org>
Date:   Wed Sep 26 18:53:40 2018 +0200

    signing-keys: fix key for boklm
    
    Re-apply the changes for #25847 (previously done by commits
    c1074e32a8d216feae7 and 5462c6d64523557f4c83).

diff --git a/include/keys.txt b/include/keys.txt
index ea3cf4d4..826467a5 100644
--- a/include/keys.txt
+++ b/include/keys.txt
@@ -2,7 +2,7 @@
 The Tor Browser Developers: 0x4E2C6E8793298290
 Mike Perry: 0x29846B3C683686CC
 Georg Koppen: 0xD1483FA6C3C07136
-Nicolas Vigier: 0xE5B81856D0220E4B
+Nicolas Vigier: 0x3E39CEABFC69F6F7

$ gpg --list-key 0xD0220E4B
pub   rsa4096 2014-03-19 [SC]
      4A90646C0BAED9D456AB3111E5B81856D0220E4B
uid           [ unknown] Nicolas Vigier (TBB Builds Signing Key) <boklm@torproject.org>

$ gpg --list-key 0xE5B81856D0220E4B
pub   rsa4096 2014-03-19 [SC]
      4A90646C0BAED9D456AB3111E5B81856D0220E4B
uid           [ unknown] Nicolas Vigier (TBB Builds Signing Key) <boklm@torproject.org>

gpg --list-key 0x3E39CEABFC69F6F7                                                                                                                                       
pub   rsa4096 2015-09-24 [SC]
      6AB6AEE9776E782723C8ACE83E39CEABFC69F6F7
uid           [ unknown] Nicolas Vigier (boklm) <boklm@torproject.org>
uid           [ unknown] Nicolas Vigier (boklm) <boklm@mars-attacks.org>
sub   rsa4096 2016-04-23 [A]
sub   rsa4096 2017-01-25 [S] [expires: 2019-01-22]
sub   rsa4096 2017-01-25 [E] [expires: 2019-01-22]

comment:5 in reply to:  4 Changed 14 months ago by boklm

Replying to traumschule:

Replying to boklm:

My key was wrong, so I fixed it with commit c14cc6e77333e8536574d4b09bfbbeb9996290a2.

What was the source for the keys in include/keys.txt? The previous page was listing the correct key, so I'm wondering how the wrong key got added to include/keys.txt.

gk's commit 2fa3225325efb70dbb181b598061be2f6379cf7d. I had replaced the short id with the long one.

Ah indeed, the short id was wrong in the previous version of the page.

comment:6 Changed 13 months ago by traumschule

Cc: atagar arma added; boklm removed

Shall we replace the short key ids?

  • Roger Dingledine (0x28988BF5 and 0x19F78451)
  • Damian Johnson (0x9ABBEEC6)
Note: See TracTickets for help on using tickets.