Opened 8 months ago

Closed 4 months ago

#31988 closed defect (fixed)

Generate a mar signing key for nightly builds

Reported by: boklm Owned by: boklm
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm, boklm201910, tbb-update, TorBrowserTeam202001R
Cc: boklm, mcs, brade, ln5, pili, tbb-team Actual Points: 1
Parent ID: #18867 Points: 1
Reviewer: mcs Sponsor:

Description

We should generate a signing key for the nightly build.

Also see ticket:18867#comment:15.

Child Tickets

Change History (12)

comment:1 Changed 7 months ago by pili

Keywords: TorBrowserTeam201911 added; TorBrowserTeam201910 removed

Moving tickets to November 2019

comment:2 Changed 7 months ago by pili

Cc: tbb-team added
Owner: changed from tbb-team to boklm
Status: newassigned

Assigning tickets to boklm for the next few months

comment:3 Changed 6 months ago by pili

Keywords: TorBrowserTeam201912 added; TorBrowserTeam201911 removed

Moving tickets to December

comment:4 Changed 5 months ago by sysrqb

Keywords: TorBrowserTeam202001 added; TorBrowserTeam201912 removed

comment:5 Changed 4 months ago by boklm

Keywords: TorBrowserTeam202001R added; TorBrowserTeam202001 removed
Status: assignedneeds_review

comment:6 Changed 4 months ago by boklm

Actual Points: 1

comment:7 Changed 4 months ago by pili

Reviewer: mcs

comment:9 Changed 4 months ago by mcs

The script looks good. Do we expect to use this script manually or via automation? If we only plan to use it manually, it seems like we should avoid using --empty-password. Of course if we do not use that option then there will be another password for us to track.

comment:10 in reply to:  9 ; Changed 4 months ago by boklm

Replying to mcs:

The script looks good. Do we expect to use this script manually or via automation? If we only plan to use it manually, it seems like we should avoid using --empty-password. Of course if we do not use that option then there will be another password for us to track.

I have been thinking about adding a password to the key, but then realized that we will using this key to sign automatically new nightly builds, so the signing script will need to know the password and we would need to store the password in a file along with the key. This means that if an attacker is able to steal the key, they will also likely be able to steal the password with it. So it seems to me that having a password does not provide any additional protection, and not having one make things a little more simple.

comment:11 in reply to:  10 Changed 4 months ago by mcs

Replying to boklm:

I have been thinking about adding a password to the key, but then realized that we will using this key to sign automatically new nightly builds, so the signing script will need to know the password and we would need to store the password in a file along with the key. This means that if an attacker is able to steal the key, they will also likely be able to steal the password with it. So it seems to me that having a password does not provide any additional protection, and not having one make things a little more simple.

What you said makes sense to me, so:
r=mcs

comment:12 Changed 4 months ago by boklm

Resolution: fixed
Status: needs_reviewclosed

Thanks. I cherry-picked the patch on master as commit 930497f483bc85e056ed278e00edd3266c4fed47.

Note: See TracTickets for help on using tickets.