Tor Distros Repository Problems (serious!)
wirelesssnowman at Safe-mail.net
wirelesssnowman at Safe-mail.net
Tue Jan 18 02:24:59 UTC 2011
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Point 1: Binaries (DEBs/RPMs) are NOT correctly signed!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Demonstration of point 1:
Download a current Tor binary (rpm or deb file) from Tor's official repositories. Next, download the RPM-GPG-KEY-torproject.org file. Finally, download the .asc file for the Tor binary version you've downloaded.
Compare these files:
RPM-GPG-KEY-torproject.org *AND* the .asc file from the binary's repo dir
*BOTH* files are *EXACTLY* the *SAME*! They are the public key from the would be signer, but the .asc files are NOT the correctly signed files from the signer's public key. The .asc files are WORTHLESS and gpg issues an error if you try and verify the .asc files:
#gpg: verify signatures failed: Unexpected error
Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in RPM-GPG-KEY-torproject.org !
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Point 2: No checksums available for the binaries!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Demonstration of point 2: Within your web browser, navigate the directory tree for the Tor official binaries.
Example: http://deb.torproject.org/torproject.org/rpm/(pick a distro)
No md5, sha1, sha256, or better checksums are available for verification!!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Conclusion: PROPERLY SIGN THE BINARIES AND ISSUE CHECKSUM FILES!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
This is a simple task, the public key holder for the binaries should, can, and, if we are to place any trust in the binaries coming from a trusted
source, PROPERLY SIGN THEM and generate checksums for the binaries. This process only takes a few minutes for each release, and when you take in
mind how important this simple process is for each release, it should be MANDATORY a CAPABLE person is staffed to COMPLETE this process EVERY TIME!
I understand how a repository should be used, but consideration must be made for those who download files manually and attempt to verify vs. allowing their package manager to do the work with the repos/files.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list