Skip to content

Bug 40964: torbrowser gpg key update

boklm requested to merge boklm/tor-browser-build:bug_40964 into main

Merge Info

Related Issues

Backporting

We should backport only the first commit (Bug 40964: Update keyring/torbrowser.gpg for new subkey). Backporting the other commit is not needed.

Timeline

  • Immediate: patchset needed as soon as possible
  • Next Minor Stable Release: patchset that needs to be verified in nightly before backport
  • Eventually: patchset that needs to be verified in alpha before backport
  • No Backport (preferred): patchset for the next major stable

(Optional) Justification

  • Emergency security update: patchset fixes CVEs, 0-days, etc
  • Censorship event: patchset enables censorship circumvention
  • Critical bug-fix: patchset fixes a bug in core-functionality
  • Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
  • Sponsor required: patchset required for sponsor
  • Other: please explain

Issue Tracking

Review

Request Reviewer

  • Request review from an applications developer depending on modified system:
    • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since gitlab only allows 1 reviewer)
    • accessibility : henry
    • android : clairehurst, dan
    • build system : boklm
    • extensions : ma1
    • firefox internals (XUL/JS/XPCOM) : jwilde, ma1
    • fonts : pierov
    • frontend (implementation) : henry
    • frontend (review) : donuts, richard
    • localization : henry, pierov
    • macOS : clairehurst, dan
    • nightly builds : boklm
    • rebases/release-prep : boklm, dan, ma1, pierov, richard
    • security : jwilde, ma1
    • signing : boklm, richard
    • updater : pierov
    • windows : jwilde, richard
    • misc/other : pierov, richard

Change Description

Update keyring/torbrowser.gpg for new subkey. And update signing script to use the new subkey for alpha.

How Tested

diff from the output of ./tools/keyring/list-all-keyrings:

--- /tmp/1.txt	2024-07-23 13:38:47.122000000 +0200
+++ /tmp/2.txt	2024-07-23 13:38:42.098000000 +0200
@@ -229,7 +229,7 @@
 ./keyring/torbrowser.gpg: PGP/GPG key public ring (v4) created Mon Dec 15 10:54:02 2014 RSA (Encrypt or Sign) 4096 bits MPI=0xd032cf90e5c02c85...
 ./keyring/torbrowser.gpg
 ------------------------
-pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2025-07-21]
+pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2027-07-15]
       EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
 uid                 [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
 sub   rsa4096/EB774491D9FF06E2 2018-05-26 [S] [expired: 2022-01-04]
@@ -237,7 +237,8 @@
 sub   rsa4096/2E1AC68ED40814E0 2014-12-15 [S] [expired: 2017-08-25]
 sub   rsa4096/2D000988589839A3 2014-12-15 [S] [revoked: 2015-08-26]
 sub   rsa4096/D1483FA6C3C07136 2016-08-24 [S] [expired: 2018-08-24]
-sub   rsa4096/E53D989A9E2D47BF 2021-09-17 [S] [expires: 2024-08-23]
+sub   rsa4096/E53D989A9E2D47BF 2021-09-17 [S] [expires: 2024-09-13]
+sub   rsa4096/157432CF78A65729 2024-07-15 [S] [expires: 2026-10-26]
 
 ./keyring/ubuntu.gpg: PGP/GPG key public ring (v4) created Thu Dec 30 20:09:44 2004 DSA 1024 bits MPI=0xa19dbde60cb17137...
 ./keyring/ubuntu.gpg

Merge request reports