Opened 5 years ago

Closed 5 years ago

#13201 closed defect (fixed)

Tor Installation OS X Step Three

Reported by: tiredpixel Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords: osx, homebrew, installation, verification, checksums
Cc: mttp, Sherief Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Please find below a copy of a letter I recently wrote to help@… regarding some thoughts about Tor Installation OS X Step Three, as detailed on the website. As requested, I am submitting it as a ticket. I am marking it as a defect, as some of it at least refers to the possibility of the installation instructions for OS X not being up-to-date (although other parts could be considered as improvements). Please excuse it not being broken up into smaller tickets; I am not sure where any such division would be best. Let's take this as a place to start, and break anything up if it is clear to someone and deemed useful. :)

Peace,
tiredpixel

---

Dear Tor,

On https://www.torproject.org/docs/tor-doc-osx.html.en 'Step Three', it says

Unfortunately, Homebrew does not come with integrated verification for downloads, and anyone could submit a modified Tor! Currently, we don't have good instructions on how to verify the Tor download on Mac OSX. If you think you do, please let us know!

Is this up-to-date? Homebrew contains the ability to checksum both bottles and sources packages, and these appear to be specified in the build recipe for Tor:

https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb

Modifying my local /usr/local/Library/Formula/tor.rb and purposely corrupting the checksums seemed to yield the desired behaviour (after clearing the caches), with the bottle installation being skipped because of the failed checksum (https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L11), and then the source installation failing because of that failed checksum (https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L6).

Admittedly, this does not make it easy for the user to verify the installation themselves, and requires a large amount of trust in Homebrew. However, presuming the trust in the package manager itself installing from the locally downloaded package, perhaps it is possible for the concerned user to skip the bottle installation and force a source installation (slower, of course, but not massively so) using something like:

brew install tor --build-from-source

Then, observing the output for the location of the cache (which could also be guessed from the version reported in brew info tor), fetching the signature from the Tor website, and verifying:

curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz.asc -o tor-sig.asc
gpg --verify tor-sig.asc /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz

However, this also requires GPG, of course, which in turn can be installed using Homebrew or GPGTools (binary package), so perhaps this doesn't make the user much more at ease. Perhaps the latter consideration doesn't cause too much worry, however, as it appears to be in the instructions for verifying signatures on OS X (https://www.torproject.org/docs/verifying-signatures.html.en). Manually verifying the SHA checksum, too, however (which is what Homebrew appears to do), could give a little more confidence:

shasum -a 256 /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz

However, unlike for the SHA 256 sums provided for the browser (https://www.torproject.org/dist/torbrowser/4.0-alpha-2/sha256sums.txt), I cannot seem to find a list of these. But then, arguably it's a small download anyway, so if we don't mind the duplication of the download work:

curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz | shasum -a 256

This matches the version Homebrew cached, which increases confidence.

By this point, however, we could just as easily warm the source cache for Homebrew ourselves, which would block installation if the checksum does not match that expected by Homebrew:

curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz -o /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz

This does, of course, require knowledge of which version is about to be installed, but brew info tor suffices for that.

I suppose it comes down to whether I trust Homebrew in its installation, and whether I trust its embedded checksums to be accurate. For the former, I probably shouldn't be using it for installations, although admittedly verifying my Homebrew installation itself is a whole other issue (although here, too, confidence could be gained by using the knowledge of it being a Git repository and doing something like cd $(brew --prefix) && git remote -v && git pull, but also presumes the --prefix output is accurate, etc.). If I don't trust its embedded checksums to be accurate, perhaps an approach balancing concern with usability would be:

brew info tor
# observe stable version
export BREW_TOR_VERSION=0.2.4.23
curl https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz" -o "/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
curl "https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz.asc" -o tor-sig.asc
gpg --verify tor-sig.asc "/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
# observe good signature, leaving checksum checking to Homebrew, as we've supplied the source
brew install tor --build-from-source
# observe that cache was used and nothing exploded

Although, it might be more convenient to use brew fetch for the source.

Perhaps there may be a better way to accomplish this, particularly the last step. But hopefully, it is better than nothing for the concerned user.

Peace,
tiredpixel

Child Tickets

Change History (5)

comment:1 Changed 5 years ago by mttp

Cc: mttp added

comment:2 Changed 5 years ago by Sherief

Cc: Sherief added

comment:3 Changed 5 years ago by Sebastian

Resolution: wontfix
Status: newclosed

I believe the information about homebrew is still accurate, as there's no way to actually verify that an updated formula is the one you were intended to get by the packager. So stuff like freezing attacks etc would all still work. I'm inclined to close this as won't fix for now and hope either macports or homebrew step up their game :(

comment:4 Changed 5 years ago by Sebastian

Resolution: wontfix
Status: closedreopened

Oy! Macports signs its packages. I will work on macports instructions.

comment:5 Changed 5 years ago by Sebastian

Resolution: fixed
Status: reopenedclosed

Updated

Note: See TracTickets for help on using tickets.