tools/update-responses/download_missing_versions fails to download OSX mar files

When running make incrementals, the download of the mar files from the previous version (if not already present) fails. The reason is that the OSX mar files now contain code signing, and don't match the checksum of the sha256sums-unsigned-build.txt file.

added TorBrowserTeam201802R component::applications/tor browser owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-backported type::defect labels

To fix this, the script could remove the code signing, and regenerate the mar file, to check that it matches the checksum from sha256sums-unsigned-build.txt.

As an alternative, the mar signature could be checked, instead of using the sha256sums-unsigned-build.txt checksums.

I am fine with option 2). #18925 (moved) is basically option 1) (I hope to get to that once the SponsorU items a finally out in an alpha).

Moving our tickets to January 2017

Trac:
Keywords: TorBrowserTeam201612 deleted, TorBrowserTeam201701 added

Moving our tickets to Feb 2017.

Trac:
Keywords: TorBrowserTeam201701 deleted, TorBrowserTeam201702 added

signmar has an option for verifying the signature of a mar file that we could use:

Verify a MAR file:
  mar [-C workingDir] -d NSSConfigDir -n certname -v signed_archive.mar
At most 8 signature certificate names are specified by -n0 certName -n1 certName2, ...
At most 8 verification certificate names are specified by -n0 certName -n1 certName2, ...

However I don't know if we can easily access the certificate files from the tools/update-responses/download_missing_versions script.

An other option would be to use the new sha256sums-signed-build.txt file, to check the downloads.

Replying to boklm:

An other option would be to use the new sha256sums-signed-build.txt file, to check the downloads.

That's a good idea. Waiting for #18925 (moved) might still take a while :/

I pushed in branch bug_20892 a patch using the sha256sums-signed-build.txt file to verify the downloads: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_20892&id=f5211682c2dd2115a2c3da3f3d5a564fe5d109ec

Trac:
Status: new to needs_review
Keywords: TorBrowserTeam201702 deleted, TorBrowserTeam201802R added

One nit in the commit message: s/This fix the download/This fixes the download/

Trac:
Keywords: TorBrowserTeam201802R deleted, TorBrowserTeam201802 added
Status: needs_review to needs_revision

I updated the commit message in branch bug_20892_v2: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_20892_v2&id=66da4f6702bd22afe4c3dabde694bf2051dd2930

Trac:
Keywords: TorBrowserTeam201802 deleted, TorBrowserTeam201802R added
Status: needs_revision to needs_review

Looks good. I merged it to master (commit 79538fbfc42b467f7badce8eb5d024d74392f8a1). boklm, please have a look at the child ticket so that we can close this one.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

Trac:
Keywords: N/A deleted, tbb-backport added

Backported with commit da514cdf49e89fb5efbb969cfd74dd561d50f54e.

Trac:
Keywords: tbb-backport deleted, tbb-backported added

closed

mentioned in issue #22612 (moved)

moved to tpo/applications/tor-browser#20892 (closed)