[tor-bugs] #15532 [Applications/Tor Browser]: Tor Browser 4.5 displays signature validation error during update
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Aug 9 07:48:37 UTC 2016
#15532: Tor Browser 4.5 displays signature validation error during update
-----------------------------------------+--------------------------
Reporter: mikeperry | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-firefox-patch, ff38-esr | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+--------------------------
Comment (by gk):
As I said on IRC you don't want to have just one key baked in. Think about
losing the key/having it compromised. How are you updating your users? You
can't sign the MAR files with the new key you are about to bake in. Even
if that would still work (because you just want to rotate to a new key)
every user would need to update to that particular version. Let's assume
you need to get a chemspill release out the week afterwards if you used
your new key to sign the MAR files a considerable amount of users will
have a broken update experience as they won't have updated to the version
with the new signing keys baked in yet.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15532#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list