Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #31292

Closed (moved)
Open
Opened Jul 30, 2019 by dkg@dkg

please sign Tor releases with an OpenPGP tool that includes Issuer Fingerprint subpackets

The OpenPGP signatures on distributed tor software currently have only an unhashed "issuer" subpacket, which contains only the 64-bit keyid of the public key used to create the signature.

Modern versions of GnuPG (version 2.1.16 or later) produce an "issuer fingerprint" subpacket in each signature by default, which includes the full fingerprint of the issuing public key.

The "issuer fingerprint" subpacket provides a much stronger linkage between the signature and the OpenPGP key used to make it.

This is not a core security concern -- that is, lack of an "issuer fingerprint" subpacket doesn't make it possible to forge signatures or do anything comparably serious -- but the story we tell about verifying signatures is cleaner if the full fingerprint is present in each signature.

If it is possible to upgrade the version of GnuPG (or any other modern OpenPGP implementation) that signs Tor releases to one that generates these subpackets, that would be a good thing.

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
Tor: 0.4.2.x-final
Milestone
Tor: 0.4.2.x-final
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#31292