Opened 2 years ago

Closed 20 months ago

#22612 closed enhancement (fixed)

Provide a list sha256's for verified binary downloads from mirrors

Reported by: BenjaminCarr Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm, TorBrowserTeam201802R
Cc: boklm Actual Points:
Parent ID: #20892 Points:
Reviewer: Sponsor:

Description

While attempting to bump the version in the OSX Homebrew system in the middle of the night I discovered that the list of sha256s provided did not allign with the downloaded DMGs that were on the mirrors:
shasum -a 256 TorBrowser-7.0.1-osx64_ar.dmg
96127d410647bc63b592238e7a5473a63c9588a88fbc501cbce93b02e546bf2e TorBrowser-7.0.1-osx64_ar.dmg
when on the list it is:
325550bf93c24e302354d4bcf90bda04540c4e8c78c270b735b5598e1dcd988d TorBrowser-7.0.1-osx64_ar.dmg

Since distributing tainted software is of concern particularly on security related matters, I halted the PR and flagged it. Contributors on two other continents checked their mirrors, and we were all getting the same sha256s, but these did not align with the only published list of shas. The only publiclly avaailable sha list is for the signed software (here is v7.0.1): https://dist.torproject.org/torbrowser/7.0.1/sha256sums-unsigned-build.txt

While we acknowledge the utility and use of the PGP *.asc signing, the homebrew (I have no idea what kind of reach we have for Tor products) currently require a sha256 on a downloaded file even if other verification methods are used. Thus to implement PGP verification we would need to do it on top of the sha256 unless we switch TorBrowser to :latest which we do not want to do for security reasons.

As the tested sha256s are consistent across mirrors a published list of sha256s for known good installers/DMGs is requested; as I was not the only one confused; but rather four homebrew contributors/maintainers.

Needing to wget all of the binaries to verify the sha's presents two problems, one the mirror used could be tainted/compromised; given recent seizures like those in France this is of modest concern. But even in affluent countries like the US highspeed broadband is not evenly distributed; and needing to pull 16 ~62MB DMG's is nearly a gigabyte of data just to verify the sha256s. A verified sha256 list solves both these problems.

Child Tickets

Change History (16)

comment:1 Changed 2 years ago by gk

Keywords: tbb-gitian TorBrowserTeam201706 added; sha256 removed

Putting that on our radar to have it ready for the next regular release.

comment:2 Changed 2 years ago by gk

Keywords: TorBrowserTeam201707 added; TorBrowserTeam201706 removed

Moving Tickets to July 2017.

comment:3 Changed 2 years ago by gk

Keywords: TorBrowserTeam201708 added; TorBrowserTeam201707 removed

Moving our Tickets to August.

comment:4 Changed 2 years ago by gk

Cc: boklm added

We did not get to implement that so far but I took the shortcut of generating some sha256sums-signed-build-files. Let me know if there are issues with that.

comment:5 Changed 2 years ago by gk

Keywords: TorBrowserTeam201709 added; TorBrowserTeam201708 removed

Items for September 2017.

comment:6 Changed 2 years ago by gk

Keywords: tbb-rbm added; tbb-gitian removed

Moving over to rbm

comment:7 Changed 2 years ago by gk

Keywords: TorBrowserTeam201710 added; TorBrowserTeam201709 removed

Items for October 2017

comment:8 Changed 2 years ago by gk

Parent ID: #20892

comment:9 Changed 2 years ago by gk

Keywords: TorBrowserTeam201711 added; TorBrowserTeam201710 removed

Moving tickets over to November.

comment:10 Changed 23 months ago by gk

Moving tickets to December 2017

comment:11 Changed 23 months ago by gk

Keywords: TorBrowserTeam201712 added; TorBrowserTeam201711 removed

Moving tickets to December 2017, for realz.

comment:12 Changed 21 months ago by gk

Keywords: TorBrowserTeam201801 added; TorBrowserTeam201712 removed

Moving tickets to 2018.

comment:13 Changed 21 months ago by gk

Keywords: TorBrowserTeam201802 added; TorBrowserTeam201801 removed

Moving tickets to Feb

comment:14 Changed 20 months ago by gk

Keywords: TorBrowserTeam201802R added; TorBrowserTeam201802 removed
Status: newneeds_review

To make some progress on #20892 in bug_22612 (https://gitweb.torproject.org/user/gk/tor-browser-build.git/commit/?h=bug_22612&id=90891f83a0692dd7041c162538b417fcf85daf0f) in my tor-browser-build repo is a patch that is adding a script to fix this bug up for review.

comment:15 Changed 20 months ago by boklm

Maybe we can add an export LC_ALL=C in the script so that the sort does not depend on the locale?

Otherwise the patch looks good.

comment:16 in reply to:  15 Changed 20 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to boklm:

Maybe we can add an export LC_ALL=C in the script so that the sort does not depend on the locale?

Otherwise the patch looks good.

Thanks. I've fixed that and pushed the result (commit 011e0d3d3da5263efa29b9a5963caa083f4c3ff5) to master.

Note: See TracTickets for help on using tickets.