[tor-bugs] #27438 [Applications/Tor Browser]: Android Gradle Build Downloads
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 18 19:55:38 UTC 2018
#27438: Android Gradle Build Downloads
-------------------------------------------------+-------------------------
Reporter: sisbell | Owner: tbb-
| team
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm, tbb-mobile, | Actual Points:
TorBrowserTeam201810R |
Parent ID: #26693 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by boklm):
* keywords: tbb-rbm, tbb-mobile, TorBrowserTeam201810 => tbb-rbm, tbb-
mobile, TorBrowserTeam201810R
* status: needs_revision => needs_review
Comment:
Replying to [comment:17 sisbell]:
> >> Its a little more complicated but not by much. Basically, it checks
extensions to see if it has gpg signature for an artifact and if so then
verifies it with a key from key server. If there is no gpg sig, then it
looks for a sha2 file and verifies that. If there is no sha2, then it just
generates one and flags it. (it could go on to check sha1, md5 but I
didn't implement that). I'm ok either way with script or artc. Would that
require different scripts for each platform we build on?
If I understand correctly the sources of artc, a signature made by any key
that is available on pgp.mit.edu will be accepted, so that does not seem
very useful as anybody can generate a key and upload it there. A sha file
that is hosted on the same server as the file we download is also not very
useful as someone able to modify the file on the server will probably also
be able to modify the sha file too.
In branch `bug_27438` I added a script, in an `input_files`, that is
downloading all the URLs from `gradle-dependencies-list.txt`, check that
the files are matching the expected sha256sums, and move them to the same
directory as in their URL:
https://gitweb.torproject.org/user/boklm/tor-browser-
build.git/commit/?h=bug_27438&id=ba47a5262a31039ef519b0655cbfe221dcb71b8b
After running this I'm getting the same content as `maven-
repo-1.0.tar.gz`. If that looks good to you, you can add the patch to your
branch.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27438#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list