-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upload PGP Keys on distinct domains #3079
Comments
I have uploaded and verified our key at https://keys.openpgp.org/. We should also upload it to our website. Regarding other domains: Twitter doesn’t provide enough space for all the information I want to include, so I have added the fingerprint to Mastodon. However, I don't really use YouTube, Instagram, or Keybase. We have some YouTube videos here on how to verify releases here , but we probably need to put together some documentation as well. |
Thanks! Yeah, I definitely think text documentation takes priority over video documentation. It's more accessible. |
Is there an existing request for feature?
What feature would you like?
This ticket is a request to:
Why?
It's possible for a very powerful adversary to compromise your release infrastructure (or the infrastructure between the server and the client) and get a new session user to download a malicious version of the release, signature, and the release signing key -- but it's exponentially more difficult for them to compromise multiple distinct domains.
Remember: monero's release infrastructure has already been comprimised once. And here's a great list of historically relevant cases where this happened:
Part One: Making key available out-of-band
SKS Keyservers
I found that I could obtain your key from Ubuntu's SKS Keyserver. This is great!
Nothing to do here.
https://keys.openpgp.org/
keys.openpgp.org is a newer keyserver that doesn't sync with the others, and it strips UIDs and signatures by default for privacy and to resist certificate spamming attacks
Unfortunately, I could not search for your key on this server by email address because it looks like you've never verified the email address.
Please verify your email address by clicking the link sent to the uid of the key (
[email protected]
) as described here:Mastodon
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to one of your Mastodon account's "profile fields" (eg a new field named "PGP" in addition to "Website", "Download", "Youtube", Odysee")Twitter
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to your twitter profile descriptionInstagram
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to your instagram profile descriptionYouTube
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to your YouTube profile descriptionOther domains
I do recommend adding your key to as many other domains as possible, including:
The more domains you upload it to, the better.
Part Two: Documenting it
After uploading your public key and/or full fingerprint to as many distinct domains as possible, please update the project's documentation to enumerate all of these locations and write a paragraph describing how the user can mitigate the risk of compromised infrastructure by cross-checking the integrity of the key across multiple domains.
Anything else?
No response
The text was updated successfully, but these errors were encountered: