Opened 5 years ago

Last modified 5 months ago

#18497 assigned enhancement

Check that MAR signing is done properly on the files available in the update responses

Reported by: boklm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-update, tbb-security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


In #18405 we are adding a script to be used during the release process to check that the MAR files are properly signed. We could have an other one that is doing the same things on the files currently proposed as an update. This would allow someone to easily check (maybe as a cron job) that the updates currently available are the same as the ones in the sha256sums-unsigned-build files.

In tools/update-responses/check_update_responses_deployement we have a script that currently check that the update responses xml provides the expected version. I think I could extend it to also download the mar files it provides, unsign them and check that they match sha256sums-unsigned-build.txt.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by boklm

A first version is available in the branch bug_18497_v1 in my repo:

Using this branch, running this command:

./check_update_responses_deployement alpha

will check that:

  • the correct version is returned, with incremental mar, for various updater URLs
  • the sha256sums-unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt files from this version are signed by the Tor Browser key
  • the mar files available as update are matching the checksum from sha256sums-unsigned-build.txt or sha256sums-unsigned-build.incrementals.txt after removing the signature using signmar -r. A cache of the mapping between signed mar sha512sum and unsigned mar sha256sum is kept in the file unsigned-sha256sums.txt.

What is not done yet:

  • change the user agent to be the same as Tor Browser
  • check the updates for all locales (currently this is only done for en-US and de)
  • check that the the sha256sums files are signed by two of the known builders in addition to the Tor Browser key
  • ignore the has_incremental error caused by the absence of incremental update with the osx32 -> osx64 updates

comment:2 Changed 21 months ago by gk

Keywords: tbb-updater added

comment:3 Changed 21 months ago by gk

Keywords: tbb-update added; tbb-updater removed

Renaming keyword to make it a bit broader

comment:4 Changed 6 months ago by gaba

Owner: changed from boklm to tbb-team
Status: newassigned

Release all this tickets back into tbb-team.

comment:5 Changed 5 months ago by gk

Keywords: tbb-security added
Note: See TracTickets for help on using tickets.