Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #31292
Closed (moved) (moved)
Open
Created Jul 30, 2019 by dkg@dkg

please sign Tor releases with an OpenPGP tool that includes Issuer Fingerprint subpackets

The OpenPGP signatures on distributed tor software currently have only an unhashed "issuer" subpacket, which contains only the 64-bit keyid of the public key used to create the signature.

Modern versions of GnuPG (version 2.1.16 or later) produce an "issuer fingerprint" subpacket in each signature by default, which includes the full fingerprint of the issuing public key.

The "issuer fingerprint" subpacket provides a much stronger linkage between the signature and the OpenPGP key used to make it.

This is not a core security concern -- that is, lack of an "issuer fingerprint" subpacket doesn't make it possible to forge signatures or do anything comparably serious -- but the story we tell about verifying signatures is cleaner if the full fingerprint is present in each signature.

If it is possible to upgrade the version of GnuPG (or any other modern OpenPGP implementation) that signs Tor releases to one that generates these subpackets, that would be a good thing.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking