(Sub)key rotation sometimes break downstream projects
Micah's Torbrowser Launcher (https://github.com/micahflee/torbrowser-launcher/) seems to be using the Tor Browser Teams' signing key (0x4E2C6E8793298290), but sometimes this key gets new sub-keys added, which isn't included by torbrowser-launcher in time before a new version of Tor Browser, which uses the new subkey for signing, is released.
This leads to breakage for the user and a slightly worrying error message ("You might be under attack").
- Do we currently have a policy for the signing key (and subkeys) for when they are rotated/have new subkeys?
- Do we currently have a place where the new subkeys are announced? Does potential downstream maintainers have a reasonable amount of time to update their software to handle this key rotation?
- Do we have a location where torbrowser-launcher can fetch this PGP key automatically (maybe on TPO infrastructure for downstream maintainers to fetch and include in their code repositories?) It sounds like
gpg --recv-keys
sometimes fail?
If the answers to some of the above questions are no, is that something we might want to change in the future?
Related tickets from torbrowser-launcher:
- https://github.com/micahflee/torbrowser-launcher/issues/349
- https://github.com/micahflee/torbrowser-launcher/issues/358
Related random forum post with the same issue from some distribution: