Opened 4 years ago

Closed 4 years ago

#19494 closed project (not a bug)

Invalid SHA256 on version 6.0.1 et 6.0.2

Reported by: cypherpunks Owned by:
Priority: Low Milestone:
Component: Community Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


sha256sums-unsigned-build.txt contains incorrectes sha256 values.

Ex :

sha256sums-unsigned-build.txt : 697a1d592c46138f894f9c03db54393bf61dd53df1b1043844f59f7e85439d1b
shasum -a 256 torbrowser-install-6.0.2_en-US.exe :3a2e05304345936fd713b638612088fa0914102389c15c7bf7aa1d74803e5db8


sha256sums-unsigned-build.txt: 1b1b3634036a516c424c3942ffaeed7e9ad72d4bf09746680d5da64afae98e38
shasum -a 256 TorBrowser-6.0.2-osx64_en-US.dmg

Child Tickets

Change History (1)

comment:1 Changed 4 years ago by boklm

Resolution: not a bug
Status: newclosed

The sha256sums-unsigned-build.txt file contains the hashes of the bundles before they are signed.

For the Windows bundles, you can use osslsigncode to remove the signature. It is available in this git repository:

Then you can do:

$ sha256sum torbrowser-install-6.0.2_en-US.exe 
3a2e05304345936fd713b638612088fa0914102389c15c7bf7aa1d74803e5db8  torbrowser-install-6.0.2_en-US.exe
$ ./osslsigncode remove-signature torbrowser-install-6.0.2_en-US.exe torbrowser-install-6.0.2_en-US.exe-unsigned
$ sha256sum torbrowser-install-6.0.2_en-US.exe-unsigned
697a1d592c46138f894f9c03db54393bf61dd53df1b1043844f59f7e85439d1b  torbrowser-install-6.0.2_en-US.exe-unsigned

We are still working on the instructions to remove the code signing on the .dmg files. This is ticket #18925.

Note: See TracTickets for help on using tickets.