Opened 3 years ago

Closed 3 years ago

#20422 closed defect (fixed)

Tor Browser builds are broken due to failing pycrypto signature check

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-gitian, TorBrowserTeam201610R GeorgKoppen201610R
Cc: boklm, ln5 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When downloading pycrypto and checking its signature we get

gpg: Signature made Tue 15 Oct 2013 12:39:39 AM CEST using DSA key ID 2C77FFB0
gpg: Good signature from "Dwayne Litzenberger <dlitz@dlitz.net>"
gpg:                 aka "Dwayne C. Litzenberger <dlitz@dlitz.net>"
gpg: WARNING: Using untrusted key!
[GNUPG:] KEYEXPIRED 1476988881
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] KEYEXPIRED 1476988881
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID WkH8dtL73r6jNEtq6iuYq1lo2yQ 2013-10-14 1381790379
[GNUPG:] KEYEXPIRED 1476988881
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] EXPKEYSIG 9B8AA8CA2C77FFB0 Dwayne Litzenberger <dlitz@dlitz.net>
[GNUPG:] KEYEXPIRED 1476988881
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] VALIDSIG E110D9A8C590EE8C2049B21C9B8AA8CA2C77FFB0 2013-10-14 1381790379 0 4 0 17 10 00 19E11FE8B3CFF273ED174A24928CEC1339C25CF7
PYCRYPTO: GPG signature is broken for https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz

But we do in fetch-inputs.sh

  if grep -q '^\[GNUPG:\] GOODSIG ' "$tmpfile"; then
    return 0
  else
    return 1

Thus, we fail hard.

Child Tickets

Change History (8)

comment:1 Changed 3 years ago by gk

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:2 Changed 3 years ago by boklm

It looks like the subkey E110D9A8C590EE8C2049B21C9B8AA8CA2C77FFB0 which is used to sign pycrypto expired yesterday.

comment:3 Changed 3 years ago by boklm

I think to fix this we can:

  • email the pycrypto author to ask if they have an updated key
  • check the checksum of the file instead of its gpg signature
  • check for EXPKEYSIG in addition to GOODSIG in the gpg status output, to allow signatures from expired keys. This will however apply to all packages. If we do this we should also clean all the keyring files we use to remove obsolete expired keys to make sure they cannot be used.
Version 1, edited 3 years ago by boklm (previous) (next) (diff)

comment:4 Changed 3 years ago by cypherpunks

It could also check for VALIDSIG instead of GOODSIG.

comment:5 in reply to:  3 Changed 3 years ago by gk

Keywords: TorBrowserTeam201610R GeorgKoppen201610R added
Status: newneeds_review

Replying to boklm:

I think to fix this we can:

  1. email the pycrypto author to ask if they have an updated key
  2. check the checksum of the file instead of its gpg signature

Looking at the key and given that we already checked the SHA256 sum in addition to the signature this seems not an unreasonable way of fixing the bug. See: bug_20422_v2 (https://gitweb.torproject.org/user/gk/tor-browser-bundle.git/commit/?h=bug_20422_v2&id=4b13b64b36da439f09decb4694dc3f33ecf9bd14) in my public repo for a proposed fix.

comment:7 Changed 3 years ago by boklm

The patch from bug_20422_v3 looks good to me.

comment:8 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Fixed on master (commit d8c56ab1d5db728adddc0376a266ea842f0e4872), maint-6.0 (commit bfc9d71a999e0902011684610a9dcfb97319ae10) and hardened-builds (commit 51f62d0c35e4c0587618f586fcfacae377933497).

Note: See TracTickets for help on using tickets.