> I propose distributing the Tor developer keys inside the Fedora package
> distribution-gpg-keys.[1] This would give most Linux users a trustworthy
> chain of signatures from their own distributor (e.g. CentOS or Fedora) to
> Tor project downloads.
(most? :) )
I suspect so. I haven't checked if Debian/Ubuntu have keyrings for Fedora. (Vice versa is certainly true.)
> I am happy to take care of this, although I am also happy if somebody who
> is more involved with Tor than me takes this on. I wrote a shell script
> (attached) to acquire and organise the keys based on
> https://2019.www.torproject.org/include/keys.txt. My script would install
> the following keys under /usr/share/distribution-gpg-keys/tor:
Unfortuntately that file is very old and incorrect now.
That is unfortunate. Is there any sensible way that users can currently verify signatures of their downloads? (Can I mimic that?)
> The most obvious question is: how do I know that I am distributing
> unadulterated keys? I think the answer is that I don't! But any attack
> would have to affect a large group of people, and would be detected quickly
> as long as many people are looking at the distribution-gpg-keys package.
> If this solution is unsatisfactory, then perhaps someone who is more
> involved with the Tor developers -- and hence able to directly check the
> keys -- ought to take this on.
Yeah, if a package like this exists and it has tor's name attached to
it, then we should have a high degree of confidence that the package
contains the correct keys.
I'm not sure I understood what you mean. Are you worried about an attack? Or just miscommunication?