Opened 9 years ago

Closed 4 years ago

#1348 closed enhancement (fixed)

check downloaded files known-good crypto checksum

Reported by: erinn Owned by: erinn
Priority: High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: easy
Cc: erinn, arma, Sebastian, phobos Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by erinn)

(This is about Makefile.linux and Makefile.osx in https://svn.torproject.org/svn/torbrowser/trunk)

The packages currently downloaded in the fetch-source target are not verified against known-good checksums. Add this functionality so that we don't embarrass ourselves if someone tries to pass off a corrupt file.

Ideally this would be generalized across the Makefiles, like in a common.mk/.sh shared by both.

Child Tickets

Attachments (1)

0001-Bug-3148-Check-downloaded-files-against-known-good.patch (3.1 KB) - added by cjb 9 years ago.

Download all attachments as: .zip

Change History (12)

comment:1 Changed 9 years ago by erinn

Description: modified (diff)
Keywords: easy added

comment:2 Changed 9 years ago by erinn

Description: modified (diff)
Version: 0.2.1.25

comment:3 Changed 9 years ago by cjb

Here's a patch. I wasn't able to test it on OS X, hopefully someone else can do that. It requires a relatively modern (10.4 or later) OS X, for shasum.

I also changed the version of polipo to 1.0.4, since 1.0.4.1 was 404ing.

Note of course that these aren't "known good" checksums, just the ones that I got from performing the download.

comment:4 Changed 9 years ago by nickm

Status: newneeds_review

comment:5 Changed 9 years ago by Sebastian

Changing polipo to 1.0.4 is probably not a good idea; iirc 1.0.4.1 fixes major security issues.

comment:6 Changed 9 years ago by cjb

Ah, found it -- http://freehaven.net/~chrisd/polipo/ is the official download site now, and does contain 1.0.4.1. So, I agree, please replace the site URL instead of applying the change to 1.0.4.

comment:7 Changed 9 years ago by Sebastian

Who has the merge/more review stick here? Erinn?

comment:8 Changed 9 years ago by nickm

Looks okay to me except for one issue: I think we wan the build to fail if the digests are incorrect.

So the logic should not be

   pushd && sha1sum; popd

but instead it should IMO be

   pushd && sha1sum && popd

And we should probably arrange stuff so that fetch-source does not actually put the source into FETCH_DIR unless the sum is correct. Otherwise, "make fetch-source; make unpack-source" could seem to have succeed even if the digests were incorrect.

comment:9 Changed 8 years ago by erinn

I like Nick's idea. I can fix the patch tomorrow or the following day, or cjb / someone else could update it before then.

comment:10 Changed 8 years ago by rransom

Priority: minormajor

comment:11 Changed 4 years ago by cypherpunks

Cc: erinn,arma,Sebastian,phoboserinn, arma, Sebastian, phobos
Resolution: Nonefixed
Status: needs_reviewclosed

Was it merged?
Either way, currently used gitian-based build scripts for the Tor Browser Bundle do checks.

Note: See TracTickets for help on using tickets.