Opened 3 years ago

Closed 3 years ago

#20209 closed defect (fixed)

Torbrowser 6.5a3 packages now signed with sha1, not sha512

Reported by: arma Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201609, GeorgKoppen201609
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

$ gpg -v torbrowser-install-6.0.5_en-US.exe.asc
gpg: assuming signed data in `torbrowser-install-6.0.5_en-US.exe'
gpg: Signature made Fri 16 Sep 2016 07:53:01 AM EDT
gpg:                using RSA key 2E1AC68ED40814E0
gpg: using subkey 2E1AC68ED40814E0 instead of primary key 4E2C6E8793298290
gpg: using PGP trust model
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
gpg: binary signature, digest algorithm SHA512

compared to

$ gpg -v torbrowser-install-6.5a3_en-US.exe.asc
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in `torbrowser-install-6.5a3_en-US.exe'
gpg: Signature made Tue 20 Sep 2016 11:10:10 AM EDT
gpg:                using RSA key D1483FA6C3C07136
gpg: using subkey D1483FA6C3C07136 instead of primary key 4E2C6E8793298290
gpg: using PGP trust model
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
gpg: binary signature, digest algorithm SHA1

What made us switch to SHA1 for the latest alpha build? Is this some bug in our release process?

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by gk

Keywords: TorBrowserTeam201609 GeorgKoppen201609 added

Seems I need to go to Mount Doom again and forge a proper subkey this time. :( And check that I did it right. Good that we test those things on the alphas first. :)

comment:2 Changed 3 years ago by gk

Actually, looking closer, I think the key is good. What is missing is an update of the gpg.conf file.

comment:3 in reply to:  1 Changed 3 years ago by yawning

Replying to gk:

Seems I need to go to Mount Doom again and forge a proper subkey this time. :( And check that I did it right. Good that we test those things on the alphas first. :)

What. Your subkey is fine, you don't need to regenerate it.

$ gpg --export  0x4E2C6E8793298290 | gpg --list-packets --verbose`

[unrelated stuff omitted]

# off=43459 ctb=89 tag=2 hlen=3 plen=1092
:signature packet: algo 1, keyid 4E2C6E8793298290
        version 4, created 1472037984, md5len 0, sigclass 0x18
        digest algo 10, begin of digest fc 1d
        hashed subpkt 2 len 4 (sig created 2016-08-24)
        hashed subpkt 27 len 1 (key flags: 02)
        hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
        subpkt 16 len 8 (issuer key ID 4E2C6E8793298290)
        subpkt 32 len 540 (signature: v4, class 0x19, algo 1, digest algo 10)
        data: C6E1E79C88EA0AF4DFCCAA7FAC0227893D2E0E905C70063CAA8426F5F18743333A18D6E2E9F067501A10952891AD100996978316949E7401DB53218818CFA460F17C783ECF282DE3D989D4F27AB352C95F08DA8E231AB4A6D362D35EF7CF9346BAB86592841BCC41F7E061A55CEBDDFD755F9CE79DFA97032D688D7BF8E5CF0D92CC1DB5A0106EF610A6466F80DD8A7159D5905A06022A522D9C45BC011EC83938F2D51D50F5F84EBE6EF2A03AFF1E9DE744532D8BF66A110F5929FAD7FD6FF940F9FFFB54E159DF630D31F6613B235BF94CD5D3C15418F5EC1A69D614DA194D61596E882C26A917329D7DC0421BA3A96361F6847AE4B0827524095AC11EBAF4BB41497CD084653F20F5DE50038B26F84A9E7ACA102431F32DEC01E521FD9DFAAA61F41D9DB47D566774AE5723994AA2666B9579C535CDDF177287AF1F2194FAEB212106F6A4495B6E163A71CBA35195C0FA68C2BA04F65FD824EE7CDEA2D1BCDC30BE7B4625DCD5226F576E21A7113CBD3F71D62DFBD0A6F11E240B18E64D914DA4DEDA929E880DFAEEEB9800C19CB60DF82E781B81362379C29F41B56E1740CD62FE2192DB8FEB73838756BB25F41CB45B01D446220ADCB1D1520688BC30CFF541CD2FF08240624D028C682257126C071B68990A577208A865ED0F8C2B8CBC912BE5B100143032A70AF69D1B3A764A199683AEF254DAF594DB429E035BADD8

The self-signature (primary key signing the sub key) is using digest algo 10 (SHA512, per RFC4880).

The only thing that needs to happen is figure out what went wrong when you actually signed the bundles.

comment:4 in reply to:  2 Changed 3 years ago by yawning

Replying to gk:

Actually, looking closer, I think the key is good. What is missing is an update of the gpg.conf file.

Erp. Trac refused to tell me that you wrote that. Sorry. And yes, the subkey and associated self signature look fine.

comment:5 Changed 3 years ago by gk

Resolution: fixed
Status: newclosed

This is fixed now.

Note: See TracTickets for help on using tickets.