Bug #16327

Certify the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key

Added by sajolida 2019-01-08 16:09:45 . Updated 2019-10-22 17:53:22 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2019-01-08
Due date:
% Done:

0%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

So far they are not.


Subtasks


Related issues

Related to Tails - Bug #15710: The Tails signing key is not trusted from within Tails Confirmed 2018-07-04
Related to Tails - Feature #15890: Update our OpenPGP keys in 2019 Resolved 2018-09-01

History

#1 Updated by sajolida 2019-01-08 16:12:11

  • related to Bug #15710: The Tails signing key is not trusted from within Tails added

#2 Updated by intrigeri 2019-01-10 07:41:50

  • Subject changed from Sign the key of tails-mirrors@boum.org and tails-sysadmins@boum.org by the signing key to Sign the key of tails-mirrors@boum.org and tails-sysadmins@boum.org with the signing key
  • Status changed from New to Confirmed

Would be nice, indeed :)

Regarding implementation: any set of people who can reconstruct our signing key can do that.

#3 Updated by sajolida 2019-01-10 09:46:35

#4 Updated by intrigeri 2019-04-25 13:38:52

  • Subject changed from Sign the key of tails-mirrors@boum.org and tails-sysadmins@boum.org with the signing key to Sign the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key

#5 Updated by intrigeri 2019-10-08 13:13:55

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|8c8db842b316c7f158d382ed5d4a4ce57f12db1f.

#6 Updated by intrigeri 2019-10-08 13:16:51

  • Subject changed from Sign the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key to Certify the key of tails-{fundraising,mirrors,sysadmins}@boum.org with the signing key
  • Status changed from In Progress to Needs Validation
  • Assignee set to sajolida
  • Target version set to Tails_4.0

Done while I was on Feature #15890 and it was therefore cheaper:

  • sent the 3 pubkeys to hkps://keys.openpgp.org and hkps://hkps.pool.sks-keyservers.net
  • updated the 2 of these pubkeys that were in tails.git with commit:8c8db842b316c7f158d382ed5d4a4ce57f12db1f

#9 Updated by intrigeri 2019-10-21 11:46:15

  • Target version changed from Tails_4.0 to Tails_4.1

#10 Updated by sajolida 2019-10-22 16:17:52

  • Status changed from Needs Validation to In Progress
  • Assignee changed from sajolida to intrigeri

The signatures on tails-mirrors and tails-sysadmins are now on zimmerman.mayfirst.org, but not the signature on tails-fundraising. I can only see a signature by our old signing key, which expired in 2015 (0xBE2CD9C1):

http://zimmerman.mayfirst.org/pks/lookup?search=tails-fundraising%40boum.org&op=vindex

#11 Updated by intrigeri 2019-10-22 16:30:12

  • Status changed from In Progress to Needs Validation
  • Assignee changed from intrigeri to sajolida

> The signatures on tails-mirrors and tails-sysadmins are now on
> zimmerman.mayfirst.org, but not the signature on tails-fundraising.

That keyserver is lagging behind the pool. https://sks-keyservers.net/status/ confirms that it currently does not qualify to be in the pool, for some reason (I suspect a negative “ΔKeys” means “out of sync”). I know you have bad experiences with the pool reachability (me too), but at least it includes only keyservers that are up-to-date.

Here’s one keyserver that’s up-to-date (and in the pool), that has the signature: https://pgp.ocf.berkeley.edu/pks/lookup?op=vindex&fingerprint=on&search=0xFEB0D5A18EACAF99

#12 Updated by sajolida 2019-10-22 17:51:08

  • Status changed from Needs Validation to Resolved
  • Assignee deleted (sajolida)

I didn’t think that the same keyserver could be up-to-date on some of these keys only, after 2 weeks already. Strange. But problem solved!

#13 Updated by intrigeri 2019-10-22 17:53:22

> I didn’t think that the same keyserver could be up-to-date on some of these keys only, after 2 weeks already. Strange.

Software systems can be buggy in very surprising ways, indeed :)