[Whonix-devel] #31090 [Webpages]: stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jul 6 12:07:23 CEST 2019
#31090: stop using gpg keyservers / provide OpenPGP keys for download as files from
torproject.org
-----------------------+--------------------------
 Reporter:  adrelanos  |          Owner:  (none)
     Type:  defect     |         Status:  new
 Priority:  Medium     |      Component:  Webpages
  Version:             |       Severity:  Normal
 Keywords:             |  Actual Points:
Parent ID:             |         Points:
 Reviewer:             |        Sponsor:
-----------------------+--------------------------
 [https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f Quote]
 (bold not added by me)
 > **High-risk users should stop using the keyserver network immediately.**
 Originator of quote, again quoting directly:
 > Robert J. Hansen <rjh at sixdemonbag.org>. I maintain the GnuPG FAQ and
 unofficially hold the position of crisis communicator. This is not an
 official statement of the GnuPG project, but does come from someone with
 commit access to the GnuPG git repo.
 See also:
 https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
 Other reasons:
 * Apart from this, keyservers have been unreliable for a long time now.
 This alone is a reason for at least providing an optional download of
 public keys.
 * While https://support.torproject.org/tbb/how-to-verify-signature/ can be
 viewed in Tor Browser, doing networking outside of Tor Browser (gpg
 --recv-keys) is non-trivial to do torified. Also for that reason it would
 be better if users could get both, the information how to verify and the
 gpg public key from the same source.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31090>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the Whonix-devel
mailing list