OK, I code-solved my own misery :
This change is an improvement YET really the subtle minor 3-lettered
increment is UNobvious to people like I:
BE VERY CAUTIOUS of the * D.E.B * novelty in the tor.list file:
echo 'deb [signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg]
https://deb.torproject.org/torproject.org <DISTRIBUTION> main' >>
../../etc/apt/sources.list.d/tor.list
echo 'deb-src
[signed-by=/usr/share/keyrings/deb.tor-archive-keyring.gpg]
https://deb.torproject.org/torproject.org <DISTRIBUTION> main' >>
../../etc/apt/sources.list.d/tor.list
................................below...................................above.....................................................above.......................................................................................................................below
and associated command:
wget -qO-
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
| gpg --dearmor | sudo tee
/usr/share/keyrings/deb.tor-archive-keyring.gpg >/dev/null
sooo, unbovious.
Question is: how many relays are now running an out-dated gpg keyring?
Carlos.
On 8/11/24 2:06 PM, eff_03675...@posteo.se wrote:
Hi all,
wait: I just installed a fresh relay and the torproject is still
outdated with the old keyring!
(I had to add sudo apt-key adv --recv-keys --keyserver keys.gnupg.net
74A941BA219EC810 to my script).
Isn't this insane given that new comers are going to install
vulnerable relays by default?
*how come the new installs still have to update?
*Carlos.
On 8/2/24 5:16 PM, telekobold wrote:
Hi boldsuck,
thank you for your messages and the explanations. To be honest, I
wasn't aware that the GPG key has to be updated manually every two
years. However, I still have a few comprehension questions:
On 16.07.24 14:03, boldsuck wrote:
wget -qO-
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
| gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg
>/dev/null
What exactly is the purpose of "gpg --dearmor" and of "tee" here? Why
isn't is enough to just type
wget -qO-
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
> /usr/share/keyrings/tor-archive-keyring.gpg
?
I compared the output with and without the "gpg --dearmor" using
diff, it is exactly the same. And the only effect of tee is that the
binary output is also printed to the terminal. There is even
something that is interpreted as a line break at the end of the
binary .gpg file so that the terminal tries to execute "1;2c" which
leads to an error. However, with the shortened command, everything
also works without errors.
>> apt-key -list /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
[...]
> Sorry, above is the key that is installed by the package
deb.torproject.org-keyring.
> gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg shows
you the one imported via wget.
On my relays (installed "the standard way" using the manuals at the
torproject.org website), both commands output the same GPG key with
the fingerprint
A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89
So, there seems to be no other Tor-related GPG key installed by the
package deb.torproject.org-keyring, just the GPG key manually
installed via the above wget command.
And finally, it would be nice if one could check the fingerprint of
this key on future physical Tor relay operators meetups like the one
at the Chaos Communication Camp. I'm not even sure if wget does any
background check based on a hierarchical certificate check of the TLS
certificate of torproject.org. If the TLS connection would be somehow
corrupted at the moment where one executed the wget command an
attacker could corrupt the whole relay, according to my
understanding. Or do I have an error in my thinking here?
Kind regards
telekobold
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
PGP updated every second week : please actualize our communication every time.
--
PGP updated every second week : please actualize our communication every time.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
