Many signatures created/visible in KGpg after installing torbrowser-launcher

Some time ago I filed this bug report:

https://bugzilla.opensuse.org/show_bug.cgi?id=1079251

Since then I haven’t looked at KGpg. Normally in it there was only one key.
But the other day when I looked I saw a key named “Tor Browser Developers” and under it lost of items with Name="[No user id found]" (perhaps 50 or more). There is only one item with Name=“Tor Browser Developers”.

I am still learning about crypto keys and all that stuff is not quite clear to me. Yet it looks like a mess.

Is that related to the bug? (i.e. is it a result of it?)
And is it safe/recommended to delete all that mess? (or if not - how do I clean it up)

I just looked here. I see 220 keys.

It is easy to have a lot of keys.

Some of the keys do not have an email address. I think they all have a name field, but that’s probably not required. It would not surprise me if the Tor folk use keys with no user and no email address.

I don’t use tor here, so I don’t have experience with it. From your description, it seems that maybe torbrowser comes with a bunch of keys, and you imported those to your keyring.

There’s probably no reason for concern. It should be safe to delete keys that you are not using. Just be careful to not delete your own key.

But why does one need those?

There’s probably no reason for concern. It should be safe to delete keys that you are not using. Just be careful to not delete your own key.

The concern is because it seems to have happened after having torbrowser-launcher installed. Previously if I downloaded the tor browser from the official site and simply unpacked and ran it - no keys were created at all.

It all has to do with the web of trust.

I download a key for some good purpose. But how do I know it isn’t forged. So I check some of the signatures on that key. And, to check signatures, I have to download the signing key.

Sometimes it takes multiple iterations of this to be confidant of a key.

Then why doesn’t the Tor Browser downloaded from https://www.torproject.org/ create all those keys? Is it less trustworthy?

I do not have any experience with tor. Sorry.

Well, the question is not really about tor but about the particular package in openSUSE named torbrowser-launcher due to which all this happens. Hence the whole confusion.

The “torbrowser-launcher” package description does say that it does signature verification for you. So I assume that it install gpg signatures that are needed for that verification.

It’s is probably nothing to be concerned about.

My concern is about the mess of data it adds and whether it is a result of the related bug which I mentioned. IOW: what may be the consequences if I remove all those many keys? Would it recreate them automatically on next run, would I damage something tremendously, would I have to reinstall the program or anything else? Or where/who should I ask? :slight_smile:

When I look at that bug report, it indicates that it is a duplicate.

When I look at the bug it duplicates, it looks to me as if launching the tor browser does install keys in your gpg keyring, but apparently some of the keys are out of date. And it gives a command to refresh those from an online keyserver.

I’m thinking that you don’t really have a “mess of data”. Rather, you have a bunch of keys that the tor browser depends on. There probably isn’t anything that need fixing, beyond that refreshing of keys.

I “jumped” and deleted all these keys. Then in torbrowser-launcher I reinstalled tor browser. No keys were recreated.
I wish I knew what all this means :slight_smile: