Opened 8 years ago

Closed 8 years ago

#2883 closed enhancement (fixed)

Add Robert Hogan's OpenPGP fingerprint to docs/en/verifying-signatures.wml

Reported by: rransom Owned by: mwenge
Priority: High Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: #2399 Points:
Reviewer: Sponsor:

Description

Robert Hogan signs torsocks releases with a GPG key. Its fingerprint should be on the verifying-signatures page.

Child Tickets

Change History (7)

comment:1 Changed 8 years ago by atagar

Torsocks is distributed via 'http://code.google.com/p/torsocks/' rather than our site. What is the purpose for adding his key here? Should we add mine and those of the Tails devs too?

comment:2 in reply to:  1 Changed 8 years ago by rransom

Replying to atagar:

Torsocks is distributed via 'http://code.google.com/p/torsocks/' rather than our site. What is the purpose for adding his key here? Should we add mine and those of the Tails devs too?

The torsocks Git repo is on git.tpo, and it's a fairly critical program for Tor users on Unixoid OSes. Your key should be added to the verifying-signatures page, too.

I'm less sure about the Tails signing key (neither their source repo nor their main download site are on torproject.org), but I think adding it to the page (with a clear indication of what it signs) would certainly be justifiable.

comment:3 Changed 8 years ago by mwenge

Parent ID: #2399

I should add my pgp public key to the torsocks project page for now anyway. I think the verifying signatures page is only for packages made available from the downloads page. So if torsocks is added there, the public key should be added to the signatures page too I guess.

comment:4 in reply to:  3 Changed 8 years ago by rransom

Replying to mwenge:

I should add my pgp public key to the torsocks project page for now anyway. I think the verifying signatures page is only for packages made available from the downloads page. So if torsocks is added there, the public key should be added to the signatures page too I guess.

Many of the keys on that page do not sign files listed on the main download page:

  • Mike Perry's key listed on that page signs Torbutton XPIs.
  • Karsten Loesing's key listed there signed some metrics archive tarballs.
  • Jacob Appelbaum's key signed a ttdnsd release tarball.
  • Matt Edman's key signed Vidalia release tarballs.

Your key signs torsocks tarballs and torsocks Git tags available from git.tpo. Get it onto the verifying-signatures page.

comment:5 Changed 8 years ago by rransom

$ git tag -v 1.1        
object fda06ecbfe4894a07a3d202748803b313da35d6a
type commit
tag 1.1
tagger Robert Hogan <robert@roberthogan.net> 1292085045 +0000

version 1.1
gpg: Signature made Sat 11 Dec 2010 08:30:45 AM PST using DSA key ID 22F6856F
gpg: Good signature from "Robert Hogan <robert@roberthogan.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
% gpg --check-sigs 0x22F6856F         
pub   1024D/22F6856F 2006-08-19
uid                  Robert Hogan <robert@roberthogan.net>
sig!         43229873 2008-05-05  Piotrowski Grzegorz (harcesz) <harcesz@obin.org>
sig!3        22F6856F 2006-08-19  Robert Hogan <robert@roberthogan.net>
sub   1024g/FC4A9460 2006-08-19
sig!         22F6856F 2006-08-19  Robert Hogan <robert@roberthogan.net>

% gpg --fingerprint 0x22F6856F
pub   1024D/22F6856F 2006-08-19
      Key fingerprint = DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
uid                  Robert Hogan <robert@roberthogan.net>
sub   1024g/FC4A9460 2006-08-19

Is this the right key?

comment:6 in reply to:  5 Changed 8 years ago by mwenge

Replying to rransom:

$ git tag -v 1.1        
object fda06ecbfe4894a07a3d202748803b313da35d6a
type commit
tag 1.1
tagger Robert Hogan <robert@roberthogan.net> 1292085045 +0000

version 1.1
gpg: Signature made Sat 11 Dec 2010 08:30:45 AM PST using DSA key ID 22F6856F
gpg: Good signature from "Robert Hogan <robert@roberthogan.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
% gpg --check-sigs 0x22F6856F         
pub   1024D/22F6856F 2006-08-19
uid                  Robert Hogan <robert@roberthogan.net>
sig!         43229873 2008-05-05  Piotrowski Grzegorz (harcesz) <harcesz@obin.org>
sig!3        22F6856F 2006-08-19  Robert Hogan <robert@roberthogan.net>
sub   1024g/FC4A9460 2006-08-19
sig!         22F6856F 2006-08-19  Robert Hogan <robert@roberthogan.net>

% gpg --fingerprint 0x22F6856F
pub   1024D/22F6856F 2006-08-19
      Key fingerprint = DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
uid                  Robert Hogan <robert@roberthogan.net>
sub   1024g/FC4A9460 2006-08-19

Is this the right key?

Yes, that's the one!

comment:7 Changed 8 years ago by rransom

Resolution: fixed
Status: newclosed

Fixed in r24620 and r24622.

Note: See TracTickets for help on using tickets.