Opened 3 years ago

Closed 20 months ago

Last modified 18 months ago

#20892 closed defect (fixed)

tools/update-responses/download_missing_versions fails to download OSX mar files

Reported by: boklm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201802R, tbb-backported
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When running make incrementals, the download of the mar files from the previous version (if not already present) fails. The reason is that the OSX mar files now contain code signing, and don't match the checksum of the sha256sums-unsigned-build.txt file.

Child Tickets

TicketStatusOwnerSummaryComponent
#22612closedtbb-teamProvide a list sha256's for verified binary downloads from mirrorsApplications/Tor Browser

Change History (14)

comment:1 Changed 3 years ago by boklm

To fix this, the script could remove the code signing, and regenerate the mar file, to check that it matches the checksum from sha256sums-unsigned-build.txt.

As an alternative, the mar signature could be checked, instead of using the sha256sums-unsigned-build.txt checksums.

Last edited 3 years ago by boklm (previous) (diff)

comment:2 Changed 3 years ago by gk

I am fine with option 2). #18925 is basically option 1) (I hope to get to that once the SponsorU items a finally out in an alpha).

comment:3 Changed 3 years ago by gk

Keywords: TorBrowserTeam201701 added; TorBrowserTeam201612 removed

Moving our tickets to January 2017

comment:4 Changed 3 years ago by gk

Keywords: TorBrowserTeam201702 added; TorBrowserTeam201701 removed

Moving our tickets to Feb 2017.

comment:5 Changed 2 years ago by boklm

signmar has an option for verifying the signature of a mar file that we could use:

Verify a MAR file:
  mar [-C workingDir] -d NSSConfigDir -n certname -v signed_archive.mar
At most 8 signature certificate names are specified by -n0 certName -n1 certName2, ...
At most 8 verification certificate names are specified by -n0 certName -n1 certName2, ...

However I don't know if we can easily access the certificate files from the tools/update-responses/download_missing_versions script.

comment:6 Changed 2 years ago by boklm

An other option would be to use the new sha256sums-signed-build.txt file, to check the downloads.

comment:7 in reply to:  6 Changed 2 years ago by gk

Replying to boklm:

An other option would be to use the new sha256sums-signed-build.txt file, to check the downloads.

That's a good idea. Waiting for #18925 might still take a while :/

comment:8 Changed 21 months ago by boklm

Keywords: TorBrowserTeam201802R added; TorBrowserTeam201702 removed
Status: newneeds_review

I pushed in branch bug_20892 a patch using the sha256sums-signed-build.txt file to verify the downloads:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_20892&id=f5211682c2dd2115a2c3da3f3d5a564fe5d109ec

comment:9 Changed 21 months ago by gk

Keywords: TorBrowserTeam201802 added; TorBrowserTeam201802R removed
Status: needs_reviewneeds_revision

One nit in the commit message: s/This fix the download/This fixes the download/

comment:10 Changed 21 months ago by boklm

Keywords: TorBrowserTeam201802R added; TorBrowserTeam201802 removed
Status: needs_revisionneeds_review

comment:11 Changed 20 months ago by gk

Looks good. I merged it to master (commit 79538fbfc42b467f7badce8eb5d024d74392f8a1). boklm, please have a look at the child ticket so that we can close this one.

comment:12 Changed 20 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

comment:13 Changed 18 months ago by boklm

Keywords: tbb-backport added

comment:14 Changed 18 months ago by gk

Keywords: tbb-backported added; tbb-backport removed

Backported with commit da514cdf49e89fb5efbb969cfd74dd561d50f54e.

Note: See TracTickets for help on using tickets.