Opened 20 months ago

Last modified 16 months ago

#18497 new enhancement

Check that MAR signing is done properly on the files available in the update responses

Reported by: boklm Owned by: boklm
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


In #18405 we are adding a script to be used during the release process to check that the MAR files are properly signed. We could have an other one that is doing the same things on the files currently proposed as an update. This would allow someone to easily check (maybe as a cron job) that the updates currently available are the same as the ones in the sha256sums-unsigned-build files.

In tools/update-responses/check_update_responses_deployement we have a script that currently check that the update responses xml provides the expected version. I think I could extend it to also download the mar files it provides, unsign them and check that they match sha256sums-unsigned-build.txt.

Child Tickets

Change History (1)

comment:1 Changed 16 months ago by boklm

A first version is available in the branch bug_18497_v1 in my repo:

Using this branch, running this command:

./check_update_responses_deployement alpha

will check that:

  • the correct version is returned, with incremental mar, for various updater URLs
  • the sha256sums-unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt files from this version are signed by the Tor Browser key
  • the mar files available as update are matching the checksum from sha256sums-unsigned-build.txt or sha256sums-unsigned-build.incrementals.txt after removing the signature using signmar -r. A cache of the mapping between signed mar sha512sum and unsigned mar sha256sum is kept in the file unsigned-sha256sums.txt.

What is not done yet:

  • change the user agent to be the same as Tor Browser
  • check the updates for all locales (currently this is only done for en-US and de)
  • check that the the sha256sums files are signed by two of the known builders in addition to the Tor Browser key
  • ignore the has_incremental error caused by the absence of incremental update with the osx32 -> osx64 updates
Note: See TracTickets for help on using tickets.