Opened 8 years ago

Closed 5 years ago

Last modified 5 years ago

#5606 closed task (fixed)

deb package with all torproject.org signing pgp keys

Reported by: proper Owned by:
Priority: High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: weasel, proper@… Actual Points:
Parent ID: #5996 Points:
Reviewer: Sponsor:

Description

Please provide a deb package with all signing keys listed here: https://www.torproject.org/docs/signing-keys.html.en

It's a bit cumbersome to download all the keys from the keyserver and verify them by hand.

Importing the main key from
https://www.torproject.org/docs/debian.html.en#ubuntu
and installing deb.torproject.org-keyring package would suffice, to always have a copy of all correct and current keys installed.

Either preferably expand the existing deb.torproject.org-keyring package or provide an extra package.

Perhaps related to #1877.

Child Tickets

Change History (12)

comment:1 Changed 8 years ago by arma

Cc: weasel added

weasel, what do you think about this idea?

comment:2 Changed 8 years ago by weasel

The deb.torproject.org-keyring package exists to ship the key required by apt to verify the deb.torproject.org repository. We should not add more keys than necessary.

I don't really see the point of creating a new package to ship an specific set of keys in a keyring. GnuPG's extra keyring support is bad and painful enough that in all likelyhood the only people who can make use of it already know how to download a key off a keyserver.

comment:3 Changed 8 years ago by arma

Maybe we could solve the goal by offering a big text file of keys from the signing-keys page that people can download and gpg import?

comment:4 in reply to:  3 Changed 8 years ago by proper

Cc: proper@… added

Replying to arma:

Maybe we could solve the goal by offering a big text file of keys from the signing-keys page that people can download and gpg import?

That would be also better than nothing. With the disadvantage, that users still have to keep them manually updated.

comment:5 Changed 8 years ago by proper

And why should we rely on keyservers?

When you download the newest software (Tor Browser etc.) from torproject.org over your old Tor Browser. And access the keyserver also over Tor.... One might ask: Why does the key download not work? Keyserver down? (happens sometimes...) Tor slow? Mistake in torify configuration?

It's more convenient to download everything from one source.

(Sorry I for double post. Came to my mind to late.)

comment:6 in reply to:  3 Changed 8 years ago by proper

Replying to arma:

Maybe we could solve the goal by offering a big text file of keys from the signing-keys page that people can download and gpg import?

I suggested that as well (#2617) and got rejected.

comment:7 Changed 8 years ago by erinn

Owner: erinn deleted
Status: newassigned

I don't make any Debian packages so I'm unassigning this from myself, but someone else should feel free to take it.

comment:8 Changed 7 years ago by proper

Keywords: #5996 added

comment:9 Changed 7 years ago by proper

Keywords: #5996 removed
Parent ID: #5996

Sorry for messing with keyword, parent id was what I wanted.

comment:10 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:11 Changed 5 years ago by isis

Resolution: fixed
Status: assignedclosed

I'm closing this because we have the deb.torproject.org-keyring package in our repositories. If I've made some mistake here, please feel free to reopen this ticket.

comment:12 Changed 5 years ago by isis

Keywords: needs-triage removed
Note: See TracTickets for help on using tickets.