[tor-bugs] #18497 [Applications/Tor Browser]: Check that MAR signing is done properly on the files available in the update responses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 20 18:00:46 UTC 2016
#18497: Check that MAR signing is done properly on the files available in the
update responses
--------------------------------------+-----------------------
Reporter: boklm | Owner: boklm
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------
Comment (by boklm):
A first version is available in the branch `bug_18497_v1` in my repo:
https://gitweb.torproject.org/user/boklm/tor-browser-
bundle.git/log/?h=bug_18497_v1
Using this branch, running this command:
{{{
./check_update_responses_deployement
http://aus1.torproject.org/torbrowser/update_2/ alpha
}}}
will check that:
* the correct version is returned, with incremental mar, for various
updater URLs
* the `sha256sums-unsigned-build.txt` and `sha256sums-unsigned-
build.incrementals.txt` files from this version are signed by the Tor
Browser key
* the mar files available as update are matching the checksum from
`sha256sums-unsigned-build.txt` or `sha256sums-unsigned-
build.incrementals.txt` after removing the signature using `signmar -r`. A
cache of the mapping between signed mar sha512sum and unsigned mar
sha256sum is kept in the file `unsigned-sha256sums.txt`.
What is not done yet:
* change the user agent to be the same as Tor Browser
* check the updates for all locales (currently this is only done for `en-
US` and `de`)
* check that the the sha256sums files are signed by two of the known
builders in addition to the Tor Browser key
* ignore the `has_incremental` error caused by the absence of incremental
update with the osx32 -> osx64 updates
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18497#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list