debian repository instruction use a key path different than deb.torproject.org-keyring packet

the documentation makes people download a gpg key to /usr/share/keyrings/tor-archive-keyring.gpg, and require signatures from that key for the repo. It also recommands installing the packet deb.torproject.org-keyring which should update that key before it expires.

However that packet actually writes to /usr/share/keyrings/deb.torproject.org-keyring.gpg. This causes people to get errors when the key they downloaded expires, and the configuration still looks at that key, not the one being auto-updated.

added Documentation Q3 labels

added Doing label

assigned to @gus

mentioned in commit gus/support@db54250a

mentioned in merge request !219 (merged)

Let me know if MR !219 (merged) fix this issue.

mentioned in commit gus/support@64bc7d8a

mentioned in commit 3ade9141

mentioned in commit e70f53fa

closed with merge request !219 (merged)

mentioned in commit tpo/translation@072087c0

Sorry for commenting on a closed issue. I can't create an issue in https://gitlab.torproject.org/tpo/core/debian/tor Should I open a new one?

Package deb.torproject.org-keyring should no longer store a key in /etc/apt/trusted.gpg.d/ only in /usr/share/keyrings/

root@t520:~# dpkg -L deb.torproject.org-keyring
/.
/etc
/etc/apt
/etc/apt/trusted.gpg.d
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
/usr
/usr/share
/usr/share/doc
/usr/share/doc/deb.torproject.org-keyring
/usr/share/doc/deb.torproject.org-keyring/changelog.gz
/usr/share/doc/deb.torproject.org-keyring/copyright
/usr/share/keyrings
/usr/share/keyrings/deb.torproject.org-keyring.gpg

DebianRepository/UseThirdParty The certificate MUST NOT be placed in /etc/apt/trusted.gpg.d ...

When adding an OpenPGP key that's used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don't have a signed-by option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system.

Not that I don't trust the TorProject key. It increases the desire of attackers to compromise the key or deb.torproject.org.

cc @weasel

Thanks. Ha, ha in the meetup pad someone wants to move everything to trusted.gpg.d.

ey @boldsuck are you able to create a ticket in https://gitlab.torproject.org/groups/tpo/core/debian/-/issues/ ?

I have no idea if that is the correct thing to do, but I wonder about the impossibility of creating new tickets and noticed that the parent project does allow to create tickets. Gitlb can be confusing, and some repositories have ticketing disabled so all the tickets are on the same place.

Hi @emmapeel, I've taken a closer look and it seems like peter has disabled issues. I can create issues for 'debian/tor-pristine-upstream' but not '/debian/tor'

You can fork the debian tor project and create a PR. But I can't find the current package deb.torproject.org-keyring. https://gitweb.torproject.org/debian/torproject-keyring.git is archived

hey @micah, can I assign this issue to you? Or should we open a ticket in tpa/team?

@gus lets move it to tpa/team, as that team is currently the one responsible for this and the repo

Done - tpo/tpa/team#41863.

reopened

This issue has been waiting for information two weeks or more. It needs attention. Please take care of this before the end of 2024-10-10. ~"Needs Information" tickets will be moved to the Icebox after that point.

(Any ticket left in Needs Review, Needs Information, Next, or Doing without activity for 14 days gets such notifications. Make a comment describing the current state of this ticket and remove the Stale label to fix this.)

To make the bot ignore this ticket, add the bot-ignore label.

added Stale label

unassigned @gus

added Next label

removed Stale label

removed Doing label

from @weasel

... there are at least two things in there
16:56 <+weasel> the two names in /usr are a documentation bug; should be fixed.
16:57 <+weasel> and I agree that the thing should not ship /etc/apt, but I don't have the cycles to think of how to do a transition.

This issue has been waiting for information two weeks or more. It needs attention. Please take care of this before the end of 2024-11-21. ~"Needs Information" tickets will be moved to the Icebox after that point.

(Any ticket left in Needs Review, Needs Information, Next, or Doing without activity for 14 days gets such notifications. Make a comment describing the current state of this ticket and remove the Stale label to fix this.)

To make the bot ignore this ticket, add the bot-ignore label.

added Stale label

mentioned in issue tpo/tpa/team#41863

closed