GitLab

Page https://www.torproject.org/docs/signing-keys.html.en shows Nick Mathewson's old PGP key, not the current one. It is the current key that is used to sign the Tor source tarballs.

See here: http://www.wangafu.net/~nickm/key-transition-statement-2.txt.asc

Also, since the Wiki page will be edited, it would be nice if instruction on using the Tor public key were on the page. When verifying the tarball I get this:

$ gpg --verify tor-0.2.8.9.tar.gz.asc gpg: Signature made Mon 17 Oct 2016 08:16:09 PM UTC using RSA key ID 8D29319A gpg: Can't check signature: public key not found gpg: Signature made Mon 17 Oct 2016 08:16:09 PM UTC using RSA key ID 9E92B601 gpg: Good signature from "Nick Mathewson nickm@alum.mit.edu" gpg: aka "Nick Mathewson nickm@wangafu.net" gpg: aka "Nick Mathewson nickm@torproject.org" gpg: aka "Nick Mathewson nickm@freehaven.net" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB Subkey fingerprint: 7A02 B352 1DC7 5C54 2BA0 1545 6AFE E6D4 9E92 B601

Note the "Can't check signature: public key not found" above.

Trac:
Username: tmpname0901