Notable Public Keys book update (Tor Browser, Youtube-dl)

Created by Steven Baltakatei Sandoval on 2022-03-09T18:13Z under a CC BY-SA 4.0 license and last updated on 2022-03-10T01:45Z.

I added two sections to the Notable Public Keys book (PDF, GitLab):

New Sections

Tor Browser

Tor Browser, along with Tails, is definitely one of the earliest programs I used that prominently featured verification methods for its installation executables. It also was one of the more prominent victims of a certificate spamming attack years ago. These details I made sure to include in the chapter I wrote. Although several PGP keys are mentioned in various docs, only a single key seems to continuously be used to sign release executables.

Youtube-dl

Although Youtube-dl, a Python2 project, seems to have become idle compared to its Python3 fork (See yt-dlp), it uses OpenPGP keys to sign releases and its GitHub project still sees some occasional updates. The fork, "yt-dlp" doesn't seem to use OpenPGP signatures on release files; however, some of its developers that worked on Youtube-dl do sign commits with OpenPGP so I mentioned their public key fingerprints so my new scan_write_tm_gpgkeys.sh script can save a copy of their public keys in the book repository's ref/pgp_keys/ directory.

Updates

Bitcoin Core

I noticed this week that Bitcoin Core changed the way it signs binary releases. Specifically, last year around 2021-09, its Download page began linking to a signature file (SHA256SUMS.asc) separately from its release hash file (SHA256SUMS). Before, both the hashes and the signature were contained within the same file (SHA256SUMS.asc). This change was made upon release of Bitcoin Core v0.22.0 in order to accommodate the ability for multiple people (besides Wladimir J. van der Laan) to sign the binary release files. I count 12 signatures in the SHA256SUMS.asc file for the v0.22.0 release, none of which are van der Laan's project signing key (90C8 019E 36C2 E964) which has been used to sign v0.11.0 through v0.21.2. Instead, van der Laan's signature was generated from his personal key.

This new method of signing releases makes sense to me if multiple groups wish for their own representative to personally review the code and sign off on it; instead of a group needing to figure out if they can trust van der Laan, they can more simply trust their group's representative.

Scripts

scan_write_tm_gpgkeys.sh

I wrote a bash script to automatically scan the book's source code for strings resembling gpg fingerprints and then checking to see if any public keys matched. Then, the script exports a minimal (non third-party signatures) ASCII-armored version of the public key to a target directory using the full 40-character fingerprint in the file name. I have been meaning to include minimal copies of all public keys I mention in the book in the repository. This script lets me do that. Since I intend the book to be able to be printed out onto paper, I do not plan on including the actual public keys themselves in the book since some of them can be quite large even in minimal format; I don't want to have to write code to strip out extraneous UIDs.

scan_write_http_gpgkeys.sh

After I wrote and tested scan_write_tm_gpgkeys.sh, I realized it wouldn't be too much extra work to adapt a fork of the script to scan webpages for things resembling gpg fingerprints. Several of the projects for which I have written chapters post the fingerprints used to sign files on centralized download pages that are kept updated; whenever their PGP key changes, they update the fingerprint. This script can be a handy tool to quickly identify public keys that I may be missing from my collection when I occasionally sit down to update chapters of the book.

Future Sections

The next chapters I plan to write are below in descending order of priority.

  • Electrum. A bitcoin wallet. I believe including this in the book will help prevent some people losing serious amounts of money over time.
  • TailsOS. A privacy-focused GNU/Linux operating system that uses tor for all communication. I believe including this in the book will help give journalists and activists more confidence when tackling the intimidating process of installing Tails for the first time.
  • VeraCrypt. A filesystem encryption program. An audited successor to TrueCrypt.
  • F-Droid. An alternative to the Google Play store.
  • LibreOffice. An alternative to Microsoft Office.
  • Red Hat. A popular commercial GNU/Linux operating system / service company I don't have much experience with but which uses OpenPGP signatures to sign software.