Opened 7 months ago

Closed 3 weeks ago

Last modified 3 weeks ago

#30548 closed task (fixed)

Clean up keyring files

Reported by: boklm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm, TorBrowserTeam201911R
Cc: Actual Points: 0.1
Parent ID: Points: 0.25
Reviewer: Sponsor:

Description

In keyring/*.gpg, some of the keyring files include some old keys or subkeys that we don't need anymore. We should remove all the keys and subkeys that we don't need (including expired keys).

Child Tickets

TicketStatusOwnerSummaryComponent
#30549closedtbb-teamAdd script to remove expired sub-keys from a keyring fileApplications/Tor Browser

Change History (12)

comment:1 Changed 5 months ago by boklm

Keywords: TorBrowserTeam201907R added; TorBrowserTeam201905 removed
Status: newneeds_review

There is a patch doing some cleanup of the keyring files in branch bug_30548_v2:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_30548_v2&id=5a5a25f01d22d23308da66072f4d63f1cf6c3268

This branch is based on the fixup patch for #30549, which is not merged yet.

The diff from the output of list-all-keyrings is:

--- 1.txt	2019-07-05 19:32:49.849000000 +0200
+++ 2.txt	2019-07-05 19:32:41.700000000 +0200
@@ -12,8 +12,8 @@
 uid                 [ unknown] Brad King
 uid                 [ unknown] Brad King <brad.king@kitware.com>
 uid                 [ unknown] [jpeg image of size 4005]
-sub   rsa4096/9C3A05C82A58B985 2010-02-16 [E] [expired: 2016-08-12]
-sub   rsa4096/2D2CEF1034921684 2015-08-13 [S] [expired: 2016-08-12]
+sub   rsa4096/9C3A05C82A58B985 2010-02-16 [E] [expires: 2019-08-12]
+sub   rsa4096/2D2CEF1034921684 2015-08-13 [S] [expires: 2019-08-12]
 
 ./keyring/firefox.gpg
 ---------------------
@@ -98,132 +98,48 @@
 
 ./keyring/tor.gpg
 -----------------
-pub   rsa4096/FE43009C4607B1FB 2016-09-21 [C] [expires: 2019-09-21]
+pub   rsa4096/FE43009C4607B1FB 2016-09-21 [C] [expires: 2020-09-16]
       2133BC600AB133E1D826D173FE43009C4607B1FB
 uid                 [ unknown] Nick Mathewson <nickm@alum.mit.edu>
 uid                 [ unknown] Nick Mathewson <nickm@wangafu.net>
 uid                 [ unknown] Nick Mathewson <nickm@freehaven.net>
 uid                 [ unknown] Nick Mathewson <nickm@torproject.org>
-sub   rsa4096/6AFEE6D49E92B601 2016-09-23 [S] [expired: 2018-09-23]
-sub   rsa4096/91DDED0286AC8BFF 2016-09-23 [E] [expired: 2018-09-23]
+sub   rsa4096/6AFEE6D49E92B601 2016-09-23 [S] [expires: 2020-09-16]
+sub   rsa4096/91DDED0286AC8BFF 2016-09-23 [E] [expires: 2020-09-16]
 
 pub   rsa4096/C218525819F78451 2010-05-07 [SC]
       F65CE37F04BA5B360AE6EE17C218525819F78451
 uid                 [ unknown] Roger Dingledine <arma@mit.edu>
 uid                 [ unknown] Roger Dingledine <arma@freehaven.net>
 uid                 [ unknown] Roger Dingledine <arma@torproject.org>
-sub   rsa4096/F05501B4C931269D 2010-05-07 [E] [expired: 2011-05-07]
-sub   rsa4096/900BD5E8BA694D6A 2011-04-26 [E] [expired: 2012-05-08]
-sub   rsa4096/366705089B11185C 2012-05-02 [E] [expired: 2013-05-02]
-sub   rsa4096/690234AC0DCC0FE1 2013-05-09 [E] [expired: 2014-05-09]
-sub   rsa4096/BA4F93601E7DA77B 2014-06-02 [E] [expired: 2015-06-02]
-sub   rsa4096/923513C6B0E5067D 2015-06-10 [E] [expired: 2016-06-09]
-sub   rsa4096/505002551A604C9F 2016-06-09 [E] [expired: 2018-06-09]
+sub   rsa4096/514465B3293BCA59 2019-06-14 [E] [expires: 2021-06-13]
 
 ./keyring/torbrowser.gpg
 ------------------------
 pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
       EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
 uid                 [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
-sub   rsa4096/2E1AC68ED40814E0 2014-12-15 [S] [expired: 2017-08-25]
-sub   rsa4096/7017ADCEF65C2036 2014-12-15 [S] [expired: 2017-08-25]
-sub   rsa4096/2D000988589839A3 2014-12-15 [S] [revoked: 2015-08-26]
-sub   rsa4096/D1483FA6C3C07136 2016-08-24 [S] [expired: 2018-08-24]
 sub   rsa4096/EB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
 
 ./keyring/torbutton.gpg
 -----------------------
-pub   dsa1024/1B0CA30CDDC6C0AD 2006-07-26 [SC]
-      BECD90EDD1EE87367980ECF81B0CA30CDDC6C0AD
-uid                 [ unknown] Mike Perry <mikeperry@fscked.org>
-uid                 [ unknown] Mike Perry <mikepery@fscked.org>
-sub   elg4096/8DBC790AAF0A91D7 2006-07-26 [E]
-
-pub   rsa8192/29846B3C683686CC 2013-09-11 [SC]
-      C963C21D63564E2B10BB335B29846B3C683686CC
-uid                 [ unknown] Mike Perry <mikeperry@endarken.info>
-uid                 [ unknown] Mike Perry (Regular use key) <mikeperry@torproject.org>
-uid                 [ unknown] Mike Perry (Regular use key) <mikeperry@fscked.org>
-uid                 [ unknown] Mike Perry <mikeperry@unencrypted.info>
-sub   rsa4096/717F1F130E3A92E4 2013-09-11 [S] [expired: 2014-09-11]
-sub   rsa4096/A3BD8153BC40FFA0 2013-09-11 [E] [expired: 2014-09-11]
-sub   rsa4096/4102F895D2F1E186 2014-09-08 [S] [expired: 2015-09-08]
-sub   rsa4096/6A98BF5993125AD5 2014-09-08 [E] [expired: 2015-09-08]
-sub   rsa4096/E23BB32C0F129402 2015-09-07 [S] [expired: 2016-09-11]
-sub   rsa4096/B0D1CB47ACC0A961 2015-09-07 [E] [expired: 2016-09-11]
-
-pub   rsa4096/94373AA94B7C3223 2013-07-30 [SC]
-      35CD74C24A9B15A19E1A81A194373AA94B7C3223
-uid                 [ unknown] Georg Koppen <gk@torproject.org>
-uid                 [ unknown] Georg Koppen <georg@getfoxyproxy.org>
-uid                 [ unknown] Georg Koppen <groeg@vfemail.net>
-sub   rsa4096/ED714BC197955E07 2013-07-30 [E] [expired: 2014-07-30]
-sub   rsa4096/E82D615DAC3A821D 2013-07-30 [S] [expired: 2014-07-30]
-sub   rsa4096/EDC67D98A97A53DC 2014-07-08 [S] [expired: 2015-07-08]
-sub   rsa4096/975AAD47E5AE3C98 2014-07-08 [E] [expired: 2015-07-08]
-sub   rsa4096/BBB97AC924690903 2015-07-20 [S] [expired: 2016-07-19]
-sub   rsa4096/57833E6F631602F4 2015-07-20 [E] [expired: 2016-07-19]
-
-pub   rsa4096/94373AA94B7C3223 2013-07-30 [SC]
-      35CD74C24A9B15A19E1A81A194373AA94B7C3223
-uid                 [ unknown] Georg Koppen <gk@torproject.org>
-uid                 [ unknown] Georg Koppen <georg@getfoxyproxy.org>
-uid                 [ unknown] Georg Koppen <groeg@vfemail.net>
-sub   rsa4096/ED714BC197955E07 2013-07-30 [E] [expired: 2014-07-30]
-sub   rsa4096/E82D615DAC3A821D 2013-07-30 [S] [expired: 2014-07-30]
-sub   rsa4096/EDC67D98A97A53DC 2014-07-08 [S] [expired: 2015-07-08]
-sub   rsa4096/975AAD47E5AE3C98 2014-07-08 [E] [expired: 2015-07-08]
-sub   rsa4096/BBB97AC924690903 2015-07-20 [S] [expired: 2016-08-01]
-sub   rsa4096/57833E6F631602F4 2015-07-20 [E] [expired: 2016-08-01]
-
 pub   rsa4096/94373AA94B7C3223 2013-07-30 [SC]
       35CD74C24A9B15A19E1A81A194373AA94B7C3223
 uid                 [ unknown] Georg Koppen <gk@torproject.org>
 uid                 [ unknown] Georg Koppen <georg@getfoxyproxy.org>
 uid                 [ unknown] Georg Koppen <groeg@vfemail.net>
-sub   rsa4096/ED714BC197955E07 2013-07-30 [E] [expired: 2014-07-30]
-sub   rsa4096/E82D615DAC3A821D 2013-07-30 [S] [expired: 2014-07-30]
-sub   rsa4096/EDC67D98A97A53DC 2014-07-08 [S] [expired: 2015-07-08]
-sub   rsa4096/975AAD47E5AE3C98 2014-07-08 [E] [expired: 2015-07-08]
-sub   rsa4096/BBB97AC924690903 2015-07-20 [S] [expired: 2016-08-01]
-sub   rsa4096/57833E6F631602F4 2015-07-20 [E] [expired: 2016-08-01]
-sub   rsa4096/2F7477373D6B000D 2016-08-01 [E] [expired: 2017-09-11]
-sub   rsa4096/AA602CC00C257CF7 2016-08-01 [S] [expired: 2017-09-11]
-
-pub   rsa4096/94373AA94B7C3223 2013-07-30 [SC]
-      35CD74C24A9B15A19E1A81A194373AA94B7C3223
-uid                 [ unknown] Georg Koppen <gk@torproject.org>
-uid                 [ unknown] Georg Koppen <georg@getfoxyproxy.org>
-uid                 [ unknown] Georg Koppen <groeg@vfemail.net>
-sub   rsa4096/ED714BC197955E07 2013-07-30 [E] [expired: 2014-07-30]
-sub   rsa4096/E82D615DAC3A821D 2013-07-30 [S] [expired: 2014-07-30]
-sub   rsa4096/EDC67D98A97A53DC 2014-07-08 [S] [expired: 2015-07-08]
-sub   rsa4096/975AAD47E5AE3C98 2014-07-08 [E] [expired: 2015-07-08]
-sub   rsa4096/BBB97AC924690903 2015-07-20 [S] [expired: 2016-08-01]
-sub   rsa4096/57833E6F631602F4 2015-07-20 [E] [expired: 2016-08-01]
-sub   rsa4096/2F7477373D6B000D 2016-08-01 [E] [expired: 2017-09-11]
-sub   rsa4096/AA602CC00C257CF7 2016-08-01 [S] [expired: 2017-09-11]
-sub   rsa4096/5778071EE2DE675B 2017-09-11 [E] [expired: 2018-09-11]
-sub   rsa4096/72E841BB93148AD2 2017-09-11 [S] [expired: 2018-09-11]
-
-pub   rsa4096/94373AA94B7C3223 2013-07-30 [SC]
-      35CD74C24A9B15A19E1A81A194373AA94B7C3223
-uid                 [ unknown] Georg Koppen <gk@torproject.org>
-uid                 [ unknown] Georg Koppen <georg@getfoxyproxy.org>
-uid                 [ unknown] Georg Koppen <groeg@vfemail.net>
-sub   rsa4096/ED714BC197955E07 2013-07-30 [E] [expired: 2014-07-30]
-sub   rsa4096/E82D615DAC3A821D 2013-07-30 [S] [expired: 2014-07-30]
-sub   rsa4096/EDC67D98A97A53DC 2014-07-08 [S] [expired: 2015-07-08]
-sub   rsa4096/975AAD47E5AE3C98 2014-07-08 [E] [expired: 2015-07-08]
-sub   rsa4096/BBB97AC924690903 2015-07-20 [S] [expired: 2016-08-01]
-sub   rsa4096/57833E6F631602F4 2015-07-20 [E] [expired: 2016-08-01]
-sub   rsa4096/2F7477373D6B000D 2016-08-01 [E] [expired: 2017-09-11]
-sub   rsa4096/AA602CC00C257CF7 2016-08-01 [S] [expired: 2017-09-11]
-sub   rsa4096/5778071EE2DE675B 2017-09-11 [E] [expired: 2018-09-11]
-sub   rsa4096/72E841BB93148AD2 2017-09-11 [S] [expired: 2018-09-11]
 sub   rsa4096/A56713B4E04028B4 2018-09-09 [E] [expires: 2019-09-11]
 sub   rsa4096/4D92A7E4AB73EC54 2018-09-09 [S] [expires: 2019-09-11]
 
+pub   rsa8192/29846B3C683686CC 2013-09-11 [SC]
+      C963C21D63564E2B10BB335B29846B3C683686CC
+uid                 [ unknown] Mike Perry <mikeperry@endarken.info>
+uid                 [ unknown] Mike Perry <mikeperry@unencrypted.info>
+uid                 [ unknown] Mike Perry (Regular use key) <mikeperry@fscked.org>
+uid                 [ unknown] Mike Perry (Regular use key) <mikeperry@torproject.org>
+sub   rsa4096/660DDE645EEFF156 2019-01-23 [S] [expires: 2020-12-22]
+sub   rsa4096/BB87D54A948287DE 2019-01-23 [E] [expires: 2020-12-22]
+
 ./keyring/ubuntu.gpg
 --------------------
 pub   dsa1024/46181433FBB75451 2004-12-30 [SC]

The remaining expired keys are:

./keyring/llvm.gpg
------------------
pub   rsa2048/8F0871F202119294 2014-05-06 [SC] [expired: 2019-04-18]
      11E521D646982372EB577A1F8F0871F202119294
uid                 [ expired] Tom Stellard <tom@stellard.net>
sub   rsa2048/B1CE97A9C733ECDD 2014-05-06 [E] [expired: never     ]

./keyring/yawning.gpg
---------------------
pub   rsa16384/BFBD1C7B8A6EC81A 2013-10-27 [SC]
      9EB1A490C73CC5D44DFB3E47BFBD1C7B8A6EC81A
uid                 [ unknown] Yawning Angel <yawning@torproject.org>
uid                 [ unknown] Yawning Angel <yawning@schwanenlied.me>
sub   rsa4096/FE2F905A0807C068 2013-10-27 [S] [expired: 2018-08-16]
sub   rsa4096/EA9272CEEDD2E2F4 2013-10-27 [E] [expired: 2018-08-16]
sub   rsa4096/D033D01944299925 2013-10-27 [A] [expired: 2018-08-16]
sub   rsa4096/B32409AF94177139 2018-08-28 [S] [expires: 2019-08-28]
sub   rsa4096/6F96E73B22F46F95 2018-08-28 [E] [expires: 2019-08-28]
sub   rsa4096/2CAADBF5F632F278 2018-08-28 [A] [expires: 2019-08-28]

For the llvm.gpg key, I could not find an updated key. For Yawning's key, we still need the expired subkey, for the obfs4 tag we are using.

comment:2 Changed 5 months ago by gk

Keywords: TorBrowserTeam201908R added; TorBrowserTeam201907R removed

No July any longer.

comment:3 Changed 3 months ago by gk

Keywords: TorBrowserTeam201909R added; TorBrowserTeam201908R removed

No August anymore.

comment:4 Changed 2 months ago by pili

Keywords: TorBrowserTeam201910R added; TorBrowserTeam201909R removed

We're now in October, moving September outstanding reviews to October

comment:5 Changed 6 weeks ago by pili

Keywords: TorBrowserTeam201911 added

Moving tickets to November 2019

comment:6 Changed 6 weeks ago by pili

Points: 0.25

comment:7 Changed 6 weeks ago by gk

Keywords: TorBrowserTeam201911R added; TorBrowserTeam201910R removed

There is no way to do reviews in October 2019 anymore.

comment:8 Changed 6 weeks ago by gk

Keywords: TorBrowserTeam201911 removed

No need for duplicate keyword.

comment:9 Changed 3 weeks ago by gk

Actual Points: 0.1

Okay, I finally looked at it. Looks mostly good. I took recent developments into account and pushed a new branch bug_30548_v2 (https://gitweb.torproject.org/user/gk/tor-browser-build.git/commit/?h=bug_30548_v2&id=50d4263376a0db5c23166c818c6c5984b44a581b). We could take that one if we like it. Three things noteworthy compared to the previous patch:

1) I removed Yawning's older subkeys as we don't need them anymore
2) Mike is not signing Torbutton/Tor Browser releases anymore. Thus, I removed all of his keys
3) We need the expired CMake key for the latest tag we use

Note: I think we should be good with respect to the keybox issue in #30549. I just used gpg --export for keys I changed.

comment:10 Changed 3 weeks ago by boklm

comment:11 in reply to:  10 ; Changed 3 weeks ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to boklm:

It seems the cmake key with updated expiration date can be downloaded from:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_30548_v4&id=99c3350b632cc87136fcaf0531da7c5f46143ab9

Ah, indeed, good point. Thanks.

I updated the cmake key in my branch bug_30548_v4:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_30548_v4&id=99c3350b632cc87136fcaf0531da7c5f46143ab9

With this change it looks good to me.

Merged to master (commit 99c3350b632cc87136fcaf0531da7c5f46143ab9), finally.

comment:12 in reply to:  11 Changed 3 weeks ago by gk

Replying to gk:

Replying to boklm:

[snip]

With this change it looks good to me.

Merged to master (commit 99c3350b632cc87136fcaf0531da7c5f46143ab9), finally.

I figured that this will be something we like to have on maint-9.0 as well. Thus, I cherry-picked the patch onto that branch (commit 6b722f712e666bdc4b80694a89b0950e42f3574a).

Note: See TracTickets for help on using tickets.