debian repository instruction use a key path different than deb.torproject.org-keyring packet
the documentation makes people download a gpg key to /usr/share/keyrings/tor-archive-keyring.gpg
, and require signatures from that key for the repo. It also recommands installing the packet deb.torproject.org-keyring
which should update that key before it expires.
However that packet actually writes to /usr/share/keyrings/deb.torproject.org-keyring.gpg
. This causes people to get errors when the key they downloaded expires, and the configuration still looks at that key, not the one being auto-updated.