New Signing PGP Subkey

Please be aware that a new PGP subkey will be used for signing Tor Browser packages beginning with Tor Browser 11.5a1.

Please refresh your keychain from keys.openpgp.org, as needed.

Thanks Matt.

What's the story with the torbrowserlauncher package these days? Should we expect another round of users reporting that they're being man-in-the-middled, because torbrowserlauncher is surprised by this new key and logs scary error messages? If yes, now that we see it coming, is there anything we can do to smooth its arrival, like pushing an update to that package?

I am cc'ing Micah in case he knows the answer by now too. :)

--Roger

Matthew Finkel

3:52 p.m.

On Tue, Dec 14, 2021 at 03:32:33AM -0500, Roger Dingledine wrote:

...

On Tue, Dec 14, 2021 at 02:15:27AM +0000, Matthew Finkel wrote:

...
Please be aware that a new PGP subkey will be used for signing Tor Browser packages beginning with Tor Browser 11.5a1.

Please refresh your keychain from keys.openpgp.org, as needed.

Thanks Matt.

What's the story with the torbrowserlauncher package these days? Should we expect another round of users reporting that they're being man-in-the-middled, because torbrowserlauncher is surprised by this new key and logs scary error messages? If yes, now that we see it coming, is there anything we can do to smooth its arrival, like pushing an update to that package?

The situation is better. If torbrowser-launcher has an old key in its keyring and it can't verify the signature then it should automatically refresh the signing key from Tor's WKD:

https://github.com/micahflee/torbrowser-launcher/pull/586

...

I am cc'ing Micah in case he knows the answer by now too. :)

--Roger

tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev

1059

Age (days ago)

1059

Last active (days ago)

tbb-dev@lists.torproject.org

2 comments

2 participants

tags (0)

participants (2)

Matthew Finkel
Roger Dingledine