Install Node.js over Tor

[elimork]

This is something that I hope people updating their Debian machines over tor (which is a must if you care for your privacy and security) could find courious and useful.
But only if also they need Node.js for some reason. There should be, once I expand the matters, some deeper insight/investigation into a repository key issue.

For doing all the installing and updating over tor, readers who are yet to learn of this goodness, pls read:
https://blog.torproject.org/debian-and- ... -services/

And about Node.js, it's at https://nodejs.org/. I happen to need this program now.

Recently Node.js have done this:

Revamping our repo: Closing over 75% of our issues with these changes

which read in: https://github.com/nodesource/distribut ... ns/#123456

It should go smoothly as per:
https://github.com/nodesource/distributions

However there are issues:
https://github.com/nodesource/distributions/issues/1723
(the issue is entitled "[ERROR] User-Agent Discrimination on Repository Web Server results in "HTTP Error 403: Forbidden" #1723")

I've stumbled upon something that looks very similar to what is pointed to there, and it appears to me it's not just Ansible nor my Debian that get issues with the installing as per the distribution page linked above.

While it probably would work to just download the right tar.gz from https://nodejs.org/en/download/ I prefer installing things in Debian using the repository that they have set up.

I first thought about following the tip at Installation instructions:

Node.js LTS (v20.x):

Using Debian, as root

curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - &&\
apt-get install -y nodejs

Note: I don't install things over clearnet. I woudn't run that line without modification. I have

/usr/local/bin/t_curl
#!/bin/sh
torsocks /usr/bin/curl $@

So the line would be: t_curl -fsSL ...

I'll be substituting curl with t_curl in lines below that I will paste.

but then I saw there is also the:
Repository-Manual-Installation.
Just as it reads there:

if you prefer a manual approach or wish to understand the process in detail, the following guide is available

And, in essence, this is the issue that I can't solve. Their repo key.
Configuration Steps for Debian systems, Initialize the New Repository
where it reads:

# Download the new repository's GPG key and save it in the keyring directory
t_curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg

which I get only:

curl: (22) The requested URL returned error: 403
                                                gpg: no valid OpenPGP data found.

So I try simply:

t_curl -L https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key -o nodesource-repo.gpg.key

as the -fsS is just cosmetic:
and the post would get unreadable if I posted here what nodesource-repo.gpg.key looks like. They look like doing some Javascript magic with gpg, along with CloudFlare rays and I can't figure out how that can work. I need another post now.

[elimork]

The gpg-JS-Cludflare HTML deb-repo key that I t_curl downloade is not easily human readable. So, rename and sed and tr it:

mv -iv nodesource-repo.gpg.key nodesource-repo.gpg.key.html

sed 's/></>\n</' nodesource-repo.gpg.key.html > nodesource-repo.gpg.key.html-240121-0433

cat nodesource-repo.gpg.key.html-240121-0433 | tr ' ' '\012' > tmp

mv -iv tmp nodesource-repo.gpg.key.html-240121-0433

And because it needs to have an extenstion to be attached here:

mv -iv nodesource-repo.gpg.key.html-240121-0433 nodesource-repo.gpg.key-240121-0433.html

Tor is not meant for true identity nor true metadata. The timestamp in the filename (240121-0433) I gave to the gpg-JS-Cludflare HTML deb-repo key is not when I connected and curl'ed it down. I have to also try and randomize the CloudFlare rays and other metadata. and I'll attach the 6383 bytes of that anonymized file.
Upfront I can tell readers that, if curl'ed down over Tor (and I can't tell, but probably also if curl'ed down over clearnet -- great if somebody try and tell us), it gets you different values all the time. And I just can't figure out how that could get a GPG-repo key that would be consistent for all users.
The thing is, I am asking for support here, because I'm uncertain of this whole thing. Is this way just for Tor users, or for clearnet and Tor users, or even in some unphathomable twist of events is this just happening to me... Probably not the latter... But I would be really confused even towards that latter possibility, had it not been documented in the above linked https://github.com/nodesource/distributions/issues/1723 where apparently an Ansible user experienced a similar case likely over clearnet.

But I can't attach it. Tried a dozen times. Always says: "Invalid file extension: <name of file>", and I tried removing all dots, giving it extension .txt on top of .html. Nothing works. It's 6.5k, 512KiB allowed. Must try a little later.

[Aki]

Hello,

I'm sorry, but the main topic of your posts is not easy to understand (at least for me).

It does not seem to be about Debian anyway. It seems to have something to do with the Internet filtering policy of a website unrelated to Debian.

It seems to me that your main problem is that you cannot download a pgp key over the Tor network, while it can be retrieved without relaying to the Tor network:

Code: Select all

$ torify curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
curl: (22) The requested URL returned error: 403

$ curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B
hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM
Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32
9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR
TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z
E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk
LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI
AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc
NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o
xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk
Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4
hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg
BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5
AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u
JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu
ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi
0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp
Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ
YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb
DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE
IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet
y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao
x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2
K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw
FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa
=MARt
-----END PGP PUBLIC KEY BLOCK-----

I suspect you can't do anything about it.

If I'm right, please modify the subject of the first post from:

• "Install Node.js over Tor"

to:

• "Cannot access a file over Tor network (filtered site)"

Moving the discussion from "General Questions" to "Off-Topic" sub-forum.

[elimork]

hanks, Aki for looking into this.

I'm sorry, but the main topic of your posts is not easy to understand (at least for me).
It does not seem to be about Debian anyway. It seems to have something to do with the Internet filtering policy of a website unrelated to Debian.

Right, in part. Not completely, because the topic is about a deb-packages repository, so about programs that install only on Debian and derivatives.
But I'm fine with your decision.

Because how can I not be fine with your decision: you solved my problem for me by giving me their PGP-key!

It seems to me that your main problem is that you cannot download a pgp key over the Tor network, while it can be retrieved without relaying to the Tor network:

Code: Select all

$ torify curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
curl: (22) The requested URL returned error: 403

$ curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B
[...]
[/quote]
It's easy now to just paste the key you posted with your output of the commands in clearnet into a file [highlight=green]debian-forums-Aki-nodeJS.key[/highlight] and do:
[code]
$ cat debian-forums-Aki-nodeJS.key |  sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
[sudo] password for root:
File '/etc/apt/keyrings/nodesource.gpg' exists. Overwrite? (y/N) y

(the file was 0 size because of the previous failed attempts)

Code: Select all

$ ls -l debian-forums-Aki-nodeJS.key /etc/apt/keyrings/nodesource.gpg
-rw-r--r-- 1 tiba tiba 1684 2024-01-21 19:40 debian-forums-Aki-nodeJS.key
-rw-r--r-- 1 root root 1185 2024-01-21 19:41 /etc/apt/keyrings/nodesource.gpg

So, what happened here is, I finally got the key, and I haven't deanonymized myself. That's Debian for me at it's best.
What I expect now, is I'll be able to install Node.js over tor, hopefully.

I'll report how my install will go. That's the important thing to do.

But I would also like to point to what those devs probably do. Because it mind-boggling. That's the other side of this issue. Kind of different issue, kind of separate issue. I find it very courious! Wait...

[elimork]

There's a post that I just wrote and it is awaiting approval, but I hope I can post another in the meantime.

The good thing is, so far, I haven't given away my identitiy, and I got the key. If anybody else needed it, this is how it's done:

Code: Select all

$ gpg  --homedir _gpg --import debian-forums-Aki-nodeJS.key
gpg: WARNING: unsafe permissions on homedir '/home/tiba/nodesource-key_/_gpg'
gpg: key 2F59B5F99B1BE0B4: public key "NSolid <nsolid-gpg@nodesource.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

And now:

Code: Select all

$ gpg   --homedir _gpg --list-key nsolid-gpg@nodesource.com
gpg: WARNING: unsafe permissions on homedir '/home/tiba/nodesource-key_/_gpg'
pub   rsa2048 2016-05-23 [SC]
      6F71F525282841EEDAF851B42F59B5F99B1BE0B4
uid           [ unknown] NSolid <nsolid-gpg@nodesource.com>
sub   rsa2048 2016-05-23 [E]

The curious thing is that they send you, with the file that I'll try to attach now:
nodesource-240121-0433.tar
and now:

Code: Select all

tar xf  nodesource-240121-0433.tar
ls -l nodesource-240121-0433.txt # when untar'ed
mv -iv nodesource-240121-0433.txt nodesource-repo.gpg.key-240121-0433.html_RAW
head -n125 nodesource-repo.gpg.key-240121-0433.html_RAW | tail -n123 >  nodesource-repo.gpg.key-240121-0433.html

And that is sufficiently human readable file that you get with the last night and this morning (UTC) discussed command line by Node.js devs.
Who is courious like me, do not open that file in a browser, but in your $EDITOR.
After I inserted newlines for legibility, I have replaced the likely deanonymizing metadata in that file with strings like

Code: Select all

value
VaLuE
000000000..

as those would serve the purpose of tracking, what else, wouldn't they?
And, what I can not show, but any user with sufficient curiousity and some time at hand can see for themselves, if you download over tor that gpg-JS-Cludflare HTML deb-repo key, you'll get in exactly those fields that I subsitute those values in, different values, every next time you download it!

And how does it get the right gpg key in your with different input every time?

That's cryptography, that's math! I'm not sure how, but, if you look up that file, you'll see this line (truncated):

Code: Select all

integrity="sha512-euoFGowhlaLqXsPWQ48qSkBSCFs3DPRyiwVu3FjR96cMPx+Fr+gpWRhIafcHwqwCqWS42RZhIudOvEI+Ckf6MA=="

That's the line that will not change every time you redownload, all those that I modified will, but that one will not.
That's probably the SHA256 of the key itself or something like that.

That's what I found very interesting in this whole thing.

I'll report if I managed to install Node.js over Tor, but I'm not in a hurry now, and am busy.

Thanks for reading this. I hope you have been amused with all this.

[Aki]

I'm glad you sorted it out. :)

Please, mark the discussion as "solved" manually adding the text tag "[Solved]" at the beginning of the subject of the first message (after other tags, if any); for example:

[Solved] Install Node.js over Tor

All the best.