Skip to content
Snippets Groups Projects
New look: Off

Add Robert Hogan's OpenPGP fingerprint to docs/en/verifying-signatures.wml

    • Closed (moved) Issue created by Robert Ransom @rransom

    Robert Hogan signs torsocks releases with a GPG key. Its fingerprint should be on the verifying-signatures page.

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items 0

    • No child items are currently assigned. Use child items to break down this issue into smaller parts.

    Activity

    • Robert Ransom added component::webpages/website owner::mwenge parent::2399 priority::high resolution::fixed status::closed type::enhancement labels

      added component::webpages/website owner::mwenge parent::2399 priority::high resolution::fixed status::closed type::enhancement labels

    • A
      Damian Johnson @atagar ·

      Torsocks is distributed via 'http://code.google.com/p/torsocks/' rather than our site. What is the purpose for adding his key here? Should we add mine and those of the Tails devs too?

    • R
      Robert Ransom @rransom ·
      Author

      Replying to atagar:

      Torsocks is distributed via 'http://code.google.com/p/torsocks/' rather than our site. What is the purpose for adding his key here? Should we add mine and those of the Tails devs too?

      The torsocks Git repo is on git.tpo, and it's a fairly critical program for Tor users on Unixoid OSes. Your key should be added to the verifying-signatures page, too.

      I'm less sure about the Tails signing key (neither their source repo nor their main download site are on torproject.org), but I think adding it to the page (with a clear indication of what it signs) would certainly be justifiable.

    • H
      Robert Hogan @hoganrobert ·

      I should add my pgp public key to the torsocks project page for now anyway. I think the verifying signatures page is only for packages made available from the downloads page. So if torsocks is added there, the public key should be added to the signatures page too I guess.

      Trac:
      Parent: N/A to #2399 (closed)

    • R
      Robert Ransom @rransom ·
      Author

      Replying to mwenge:

      I should add my pgp public key to the torsocks project page for now anyway. I think the verifying signatures page is only for packages made available from the downloads page. So if torsocks is added there, the public key should be added to the signatures page too I guess.

      Many of the keys on that page do not sign files listed on the main download page:

      • Mike Perry's key listed on that page signs Torbutton XPIs.
      • Karsten Loesing's key listed there signed some metrics archive tarballs.
      • Jacob Appelbaum's key signed a ttdnsd release tarball.
      • Matt Edman's key signed Vidalia release tarballs.

      Your key signs torsocks tarballs and torsocks Git tags available from git.tpo. Get it onto the verifying-signatures page.

    • R
      Robert Ransom @rransom ·
      Author 
      $ git tag -v 1.1        
object fda06ecbfe4894a07a3d202748803b313da35d6a
type commit
tag 1.1
tagger Robert Hogan <robert@roberthogan.net> 1292085045 +0000

version 1.1
gpg: Signature made Sat 11 Dec 2010 08:30:45 AM PST using DSA key ID 22F6856F
gpg: Good signature from "Robert Hogan <robert@roberthogan.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
% gpg --check-sigs 0x22F6856F         
pub   1024D/22F6856F 2006-08-19
uid                  Robert Hogan <robert@roberthogan.net>
sig!         43229873 2008-05-05  Piotrowski Grzegorz (harcesz) <harcesz@obin.org>
sig!3        22F6856F 2006-08-19  Robert Hogan <robert@roberthogan.net>
sub   1024g/FC4A9460 2006-08-19
sig!         22F6856F 2006-08-19  Robert Hogan <robert@roberthogan.net>

% gpg --fingerprint 0x22F6856F
pub   1024D/22F6856F 2006-08-19
      Key fingerprint = DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
uid                  Robert Hogan <robert@roberthogan.net>
sub   1024g/FC4A9460 2006-08-19

      Is this the right key?

    • H
      Robert Hogan @hoganrobert ·

      Replying to rransom:

      {{{ $ git tag -v 1.1
      object fda06ecbfe4894a07a3d202748803b313da35d6a type commit tag 1.1 tagger Robert Hogan robert@roberthogan.net 1292085045 +0000

      version 1.1 gpg: Signature made Sat 11 Dec 2010 08:30:45 AM PST using DSA key ID 22F6856F gpg: Good signature from "Robert Hogan robert@roberthogan.net" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DDB4 6B5B 7950 CD47 E59B 5189 4C09 25CF 22F6 856F % gpg --check-sigs 0x22F6856F
      pub 1024D/22F6856F 2006-08-19 uid Robert Hogan robert@roberthogan.net sig! 43229873 2008-05-05 Piotrowski Grzegorz (harcesz) harcesz@obin.org sig!3 22F6856F 2006-08-19 Robert Hogan robert@roberthogan.net sub 1024g/FC4A9460 2006-08-19 sig! 22F6856F 2006-08-19 Robert Hogan robert@roberthogan.net

      % gpg --fingerprint 0x22F6856F pub 1024D/22F6856F 2006-08-19 Key fingerprint = DDB4 6B5B 7950 CD47 E59B 5189 4C09 25CF 22F6 856F uid Robert Hogan robert@roberthogan.net sub 1024g/FC4A9460 2006-08-19

      }}}

      Is this the right key?

      Yes, that's the one!

    • R
      Robert Ransom @rransom ·
      Author

      Fixed in r24620 and r24622.

      Trac:
      Status: new to closed
      Resolution: N/A to fixed

    • Trac closed

      closed

    • Trac moved to tpo/web/trac#2883 (closed)

      moved to tpo/web/trac#2883 (closed)

    Please register or sign in to reply