[tor-bugs] #13379 [Tor Browser]: Sign our MAR files
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 15 14:06:48 UTC 2014
#13379: Sign our MAR files
-------------------------+-------------------------------------------------
Reporter: | Owner: mcs
mikeperry | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-security,
Browser | TorBrowserTeam201412,TorBrowserTeam201412R
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
Replying to [comment:36 mcs]:
> Kathy and I made changes to use a SHA512-based signature. Please
review.
>
> https://gitweb.torproject.org/user/brade/tor-
browser.git/commit/?h=bug13379-02&id=14447aca2f31c56ccadc289cef5f756e97d1f3a9
>
> I created a test certificate and exported it to a .der file by using
these commands:
> {{{
> ./certutil -d .nss -N
> ./certutil -d .nss -S -x -g 4096 -Z SHA512 -n marsigner -s "CN=Tor
Browser MAR signing key" -t,,
> ./certutil -d .nss -L -r -n marsigner -o marsigner.der
> }}}
This one looks good to me. Just one question: Why do we need the changes
in cryptox.h? I was under the impression we have `MAR_NSS` defined anyway
and thus there is no risk we would enter the `#elif XP_MACOSX` and `#elif
defined(XP_WIN)` blocks.
I think I am going to test the MAR signing a bit. What scenarios did your
testing already cover?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:38>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list