Opened 11 months ago

Last modified 5 months ago

#31090 reopened defect

stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org

Reported by: adrelanos Owned by:
Priority: Medium Milestone:
Component: Webpages Version:
Severity: Normal Keywords:
Cc: whonix-devel@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Quote (bold not added by me)

High-risk users should stop using the keyserver network immediately.

Originator of quote, again quoting directly:

Robert J. Hansen <rjh@…>. I maintain the GnuPG FAQ and unofficially hold the position of crisis communicator. This is not an official statement of the GnuPG project, but does come from someone with commit access to the GnuPG git repo.

See also:
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html

Other reasons:

  • Apart from this, keyservers have been unreliable for a long time now. This alone is a reason for at least providing an optional download of public keys.
  • While https://support.torproject.org/tbb/how-to-verify-signature/ can be viewed in Tor Browser, doing networking outside of Tor Browser (gpg --recv-keys) is non-trivial to do torified. Also for that reason it would be better if users could get both, the information how to verify and the gpg public key from the same source.

Child Tickets

Change History (4)

comment:1 Changed 11 months ago by ggus

Resolution: duplicate
Status: newclosed

See ticket #31168

comment:2 Changed 6 months ago by adrelanos

Resolution: duplicate
Status: closedreopened

I don't think this is a duplicate and I don't think this was solved. The reasons to no longer using keyservers are still valid.

I've downloaded Tor. Not Tor Browser.

For that I need Nick's signing key 7A02B3521DC75C542BA015456AFEE6D49E92B601.

https://support.torproject.org/tbb/how-to-verify-signature/ explains how to do that for Tor Browser, uses curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import - but I wouldn't know how to use that to get Tor signing key / acquire Nick's key.

Currently it is documented nowhere how to acquire Nick's key. Therefore reopening.

comment:3 Changed 5 months ago by pili

possibly one for the developer portal

comment:4 Changed 5 months ago by ggus

Adrelanos, thanks for pointing this.

Pili, meanwhile, I think we could have an entry in support portal explaining how to fetch Nick's key.

I also opened an issue here: https://dip.torproject.org/torproject/web/tpo/issues/54

Note: See TracTickets for help on using tickets.