[tor-bugs] #25435 [Applications/Tor Browser]: keyring/binutils.gpg modified by `make alpha`

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 6 19:49:59 UTC 2018 

#25435: keyring/binutils.gpg modified by `make alpha`
--------------------------------------+--------------------------
 Reporter:  dcf                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by dcf):

 Replying to [comment:3 boklm]:

 The cause seems to be the automatic `--check-trustdb` that gpg
 occasionally runs before executing a command. I think I got "lucky" and
 gpg decided to update the trustdb during the rbm build.

 > The only command we use with `binutils.gpg` should be something like
 this:
 > {{{
 > $ gpg --with-fingerprint --keyring ./keyring/binutils.gpg --no-default-
 keyring --verify ./out/binutils/binutils-2.24.tar.bz2.sig
 ./out/binutils/binutils-2.24.tar.bz2
 > }}}
 >
 > Could you check if just running this command is enough to modify
 `binutils.gpg` ?

 I did another `make alpha`, and this time there was no change to
 binutils.gpg. Likewise, with your suggested `--verify` command, there is
 no change. But if I run `--check-trustdb`, I get the same modified
 binutils.gpg and backup file.
 {{{
 $ gpg --with-fingerprint --keyring ./keyring/binutils.gpg --no-default-
 keyring --check-trustdb
 }}}

 The [https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-
 Commands.html gpg manual says this]:
 >  `--update-trustdb`:: Do trust database maintenance. This command
 iterates over all keys and builds the Web of Trust. This is an interactive
 command because it may have to ask for the "ownertrust" values for keys.
 >  `--check-trustdb`:: Do trust database maintenance without user
 interaction. From time to time the trust database must be updated so that
 expired keys or signatures and the resulting changes in the Web of Trust
 can be tracked. Normally, GnuPG will calculate when this is required and
 do it automatically unless `--no-auto-check-trustdb` is set. This command
 can be used to force a trust database check at any time. The processing is
 identical to that of --update-trustdb but it skips keys with a not yet
 defined "ownertrust".

 So, it appears that you can use the `--no-auto-check-trustdb` option to
 avoid modifying keyring files.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25435#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list