Notable Public Keys book update (Tor Browser, Youtube-dl)
Created by Steven Baltakatei Sandoval on 2022-03-09T18:13Z under a CC BY-SA 4.0 license and last updated on 2022-03-10T01:45Z.
I added two sections to the Notable Public Keys book (PDF, GitLab):
New Sections
Tor Browser
Tor Browser, along with Tails, is definitely one of the earliest programs I used that prominently featured verification methods for its installation executables. It also was one of the more prominent victims of a certificate spamming attack years ago. These details I made sure to include in the chapter I wrote. Although several PGP keys are mentioned in various docs, only a single key seems to continuously be used to sign release executables.
Youtube-dl
Although Youtube-dl, a Python2 project, seems to have become idle
compared to its Python3 fork (See yt-dlp), it uses OpenPGP keys to
sign releases and its GitHub project still sees some occasional
updates. The fork, "yt-dlp" doesn't seem to use OpenPGP signatures on
release files; however, some of its developers that worked on
Youtube-dl do sign commits with OpenPGP so I mentioned their public
key fingerprints so my new scan_write_tm_gpgkeys.sh
script can save
a copy of their public keys in the book repository's ref/pgp_keys/
directory.
Updates
Bitcoin Core
I noticed this week that Bitcoin Core changed the way it signs binary
releases. Specifically, last year around 2021-09, its Download page
began linking to a signature file (SHA256SUMS.asc
) separately from
its release hash file (SHA256SUMS
). Before, both the hashes and the
signature were contained within the same file (SHA256SUMS.asc
). This
change was made upon release of Bitcoin Core v0.22.0 in order to
accommodate the ability for multiple people (besides Wladimir J. van
der Laan) to sign the binary release files. I count 12 signatures in
the SHA256SUMS.asc
file for the v0.22.0 release, none of which are
van der Laan's project signing key (90C8 019E 36C2 E964
) which has
been used to sign v0.11.0 through v0.21.2. Instead, van der Laan's
signature was generated from his personal key.
This new method of signing releases makes sense to me if multiple groups wish for their own representative to personally review the code and sign off on it; instead of a group needing to figure out if they can trust van der Laan, they can more simply trust their group's representative.
Scripts
scan_write_tm_gpgkeys.sh
I wrote a bash script to automatically scan the book's source code for strings resembling gpg fingerprints and then checking to see if any public keys matched. Then, the script exports a minimal (non third-party signatures) ASCII-armored version of the public key to a target directory using the full 40-character fingerprint in the file name. I have been meaning to include minimal copies of all public keys I mention in the book in the repository. This script lets me do that. Since I intend the book to be able to be printed out onto paper, I do not plan on including the actual public keys themselves in the book since some of them can be quite large even in minimal format; I don't want to have to write code to strip out extraneous UIDs.
scan_write_http_gpgkeys.sh
After I wrote and tested scan_write_tm_gpgkeys.sh
, I realized it
wouldn't be too much extra work to adapt a fork of the script to scan
webpages for things resembling gpg fingerprints. Several of the
projects for which I have written chapters post the fingerprints used
to sign files on centralized download pages that are kept updated;
whenever their PGP key changes, they update the fingerprint. This
script can be a handy tool to quickly identify public keys that I may
be missing from my collection when I occasionally sit down to update
chapters of the book.
Future Sections
The next chapters I plan to write are below in descending order of priority.
- Electrum. A bitcoin wallet. I believe including this in the book will help prevent some people losing serious amounts of money over time.
- TailsOS. A privacy-focused GNU/Linux operating system that uses tor for all communication. I believe including this in the book will help give journalists and activists more confidence when tackling the intimidating process of installing Tails for the first time.
- VeraCrypt. A filesystem encryption program. An audited successor to TrueCrypt.
- F-Droid. An alternative to the Google Play store.
- LibreOffice. An alternative to Microsoft Office.
- Red Hat. A popular commercial GNU/Linux operating system / service company I don't have much experience with but which uses OpenPGP signatures to sign software.