Dear @anarcat
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892058 https://salsa.debian.org/lechner/key-expirations
Yes, script above from Debian that email reminding of key expiration will improve the situation greatly. Can you kindly setup that for all tpo key that with expiration? Thank you!
For issue like #40115 and #40299, we already experienced GPG subkey expiration a few times in the past. This caused downstream project like torbrowser-launcher failed to install TorBrowser, because it checks the download file integrity by GPG.
So I'm wondering whether we can improve GPG subkey fresh in your regular workflow, or add a timer notification. It's not urgent, but better to fix before next expiration date, Jan 04 2022. Thank you!
@anarcat Thanks for prompting action!
Yes, updated subkey is already on keyserver: keys.openpgp.org However, I find it still cannot be got via WKD.
$ rm -rf /tmp/gnupghome; mkdir -p /tmp/gnupghome
$ gpg -v --homedir /tmp/gnupghome --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg: WARNING: unsafe permissions on homedir '/tmp/gnupghome'
gpg: keybox '/tmp/gnupghome/pubring.kbx' created
gpg: /tmp/gnupghome/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: pub rsa4096/4E2C6E8793298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@torproject.org>
gpg: Note: signature key 2D000988589839A3 has been revoked
gpg: Note: signature key EB774491D9FF06E2 expired Sat 12 Jun 2021 11:35:23 AM JST
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to agent established
gpg: Total number processed: 1
gpg: imported: 1
gpg: auto-key-locate found fingerprint EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
gpg: Note: signature key 2D000988589839A3 has been revoked
gpg: Note: signature key EB774491D9FF06E2 expired Sat 12 Jun 2021 11:35:23 AM JST
gpg: automatically retrieved 'torbrowser@torproject.org' via WKD
pub rsa4096 2014-12-15 [C] [expires: 2025-07-21]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub rsa4096 2014-12-15 [S] [revoked: 2015-08-26]
sub rsa4096 2018-05-26 [S] [expired: 2021-06-12]
PGP/GPG subkey for torbrowser@tpo (0x4E2C6E8793298290) expired already on last Saturday, June/12. And I also tried to refresh the key by using a few well-known key servers, and found it's not updated.
$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options self-sigs-only --refresh-keys 0x4E2C6E8793298290
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: key 0x4E2C6E8793298290: number of dropped non-self-signatures: 121456
gpg: pub rsa4096/0x4E2C6E8793298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@torproject.org>
gpg: key 0x4E2C6E8793298290: 12 duplicate signatures removed
gpg: key 0x4E2C6E8793298290: 2 signatures reordered
gpg: key 0x4E2C6E8793298290/0x7017ADCEF65C2036: removed multiple subkey binding
gpg: key 0x4E2C6E8793298290/0x2E1AC68ED40814E0: removed multiple subkey binding
gpg: key 0x4E2C6E8793298290/0xEB774491D9FF06E2: removed multiple subkey binding
gpg: Note: signature key 0xD1483FA6C3C07136 expired Fri 24 Aug 2018 08:26:24 PM JST
gpg: Note: signature key 0xEB774491D9FF06E2 expired Sat 12 Jun 2021 11:35:23 AM JST
gpg: Note: signature key 0x2E1AC68ED40814E0 expired Fri 25 Aug 2017 08:26:30 PM JST
gpg: Note: signature key 0x7017ADCEF65C2036 expired Fri 25 Aug 2017 08:23:23 PM JST
gpg: Note: signature key 0x2D000988589839A3 has been revoked
gpg: key 0x4E2C6E8793298290: "Tor Browser Developers (signing key) <torbrowser@torproject.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
So currently there's only valid subkey for certification, but no valid subkey for signature:
$ gpg -k 0x4E2C6E8793298290
pub rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2025-07-21]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
And there're quite a few issue reports that failed to get TBB installed:
I hope this key update can be fixed soon. Thank you!