Download key using web key directory from torproject.org instead of keyservers

[torbrowser-launcher.git] / torbrowser_launcher / common.py

diff --git a/torbrowser_launcher/common.py b/torbrowser_launcher/common.py
index 4e3a30a6db3430bd96348d0358fa667227e347f3..adb9426aad1b6019dfaf65e9881443195f9f1594 100644 (file)
--- a/torbrowser_launcher/common.py
+++ b/torbrowser_launcher/common.py
@@ -139,7 +139,6 @@ class Common(object):
                 'tbl_bin': sys.argv[0],
                 'icon_file': os.path.join(os.path.dirname(SHARE), 'pixmaps/torbrowser.png'),
                 'torproject_pem': os.path.join(SHARE, 'torproject.pem'),
-                'keyserver_ca': os.path.join(SHARE, 'sks-keyservers.netCA.pem'),
                 'signing_keys': {
                     'tor_browser_developers': os.path.join(SHARE, 'tor-browser-developers.asc')
                 },
@@ -194,12 +193,11 @@ class Common(object):
         else:
             print('Refreshing local keyring...')
 
+        # Fetch key from wkd, as per https://support.torproject.org/tbb/how-to-verify-signature/
         p = subprocess.Popen(['/usr/bin/gpg2', '--status-fd', '2',
                               '--homedir', self.paths['gnupg_homedir'],
-                              '--keyserver', 'hkps://hkps.pool.sks-keyservers.net',
-                              '--keyserver-options', 'ca-cert-file=' + self.paths['keyserver_ca']
-                              + ',include-revoked,no-honor-keyserver-url,no-honor-pka-record',
-                              '--refresh-keys'], stderr=subprocess.PIPE)
+                              '--auto-key-locate', 'nodefault,wkd',
+                              '--locate-keys', 'torbrowser@torproject.org'], stderr=subprocess.PIPE)
         p.wait()
 
         for output in p.stderr.readlines():