[Whonix-devel] #31090 [Webpages]: stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jul 6 12:07:23 CEST 2019
#31090: stop using gpg keyservers / provide OpenPGP keys for download as files from
torproject.org
-----------------------+--------------------------
Reporter: adrelanos | Owner: (none)
Type: defect | Status: new
Priority: Medium | Component: Webpages
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------+--------------------------
[https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f Quote]
(bold not added by me)
> **High-risk users should stop using the keyserver network immediately.**
Originator of quote, again quoting directly:
> Robert J. Hansen <rjh at sixdemonbag.org>. I maintain the GnuPG FAQ and
unofficially hold the position of crisis communicator. This is not an
official statement of the GnuPG project, but does come from someone with
commit access to the GnuPG git repo.
See also:
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
Other reasons:
* Apart from this, keyservers have been unreliable for a long time now.
This alone is a reason for at least providing an optional download of
public keys.
* While https://support.torproject.org/tbb/how-to-verify-signature/ can be
viewed in Tor Browser, doing networking outside of Tor Browser (gpg
--recv-keys) is non-trivial to do torified. Also for that reason it would
be better if users could get both, the information how to verify and the
gpg public key from the same source.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31090>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the Whonix-devel
mailing list