Opened 3 years ago

Closed 3 years ago

#19809 closed defect (fixed)

Update verification failed but update still applies on Linux and OS X

Reported by: sukhbir Owned by:
Priority: Medium Milestone:
Component: Archived/Tor Messenger Version:
Severity: Normal Keywords:
Cc: boklm, mcs, brade, arlolra Actual Points:
Parent ID: #14388 Points:
Reviewer: Sponsor:

Description (last modified by sukhbir)

With all the updater patches applied, I was trying to update Tor Messenger. I generated the MAR signing key and signed the MAR file and then tried to update. (The build was completed with the associated DER file.)

On Linux and OS X, it complains that the signatures could not be verified but still goes on to complete the update.

On Windows it gives me error code 19, which Bugzilla #742008 tells me: "That is CERT_VERIFY_ERROR, which suggests that the mars are not signed correctly for some reason.". The update does not apply.

This is the log from updating on Linux:

*** AUS:SVC Downloader:onStopRequest - attempting to stage update: Tor Messenger 0.1.0b8
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
*** AUS:SVC readStatusFile - status: applied, path: /tmp/tor-messenger/Browser/updates/0/update.status
*** AUS:SVC UpdateManager:refreshUpdateStatus - Notifying observers that the update was staged. state: applied, status: applied

Why is Tor Messenger still updating if the signature could not be verified?

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by sukhbir

Description: modified (diff)

comment:2 Changed 3 years ago by sukhbir

Update: I realized I was copying the DER file to just release_secondary.der; I changed it to copy to both release_primary and release_secondary. So maybe the error in the above case was because release_primary failed but release_secondary worked. I no longer have this issue on Linux and OS X.

On Windows, I still get the update failed with error code 19. Is the Windows update verification different from Linux and OS X?

comment:3 Changed 3 years ago by boklm

Parent ID: #14388

comment:4 Changed 3 years ago by sukhbir

To add, this is how I am generating MAR files and signing them:

MAR=./mar MBSDIFF=./mbsdiff ./make_incremental_update.sh mar.mar old/Browser/ new/Browser/
LD_LIBRARY_PATH=. ./signmar -d "$NSS_DB_DIR" -n "$CERT_NAME" -s mar.mar partial.mar

I am using the mar-tools.zip from Tor Browser.

comment:5 Changed 3 years ago by sukhbir

Resolution: fixed
Status: newclosed

OK I managed to figure it out. I was missing setting the update channel in the mozconfig (!). Setting:

ac_add_options --enable-update-channel=release

Fixed the issue. I realized this after noticing that the update channel was default. I had this option in the mozconfig files for Linux and OS X but somehow missed Windows.

Note: See TracTickets for help on using tickets.