Opened 9 years ago

Closed 9 months ago

#3980 closed enhancement (duplicate)

gettor should deliver checksums of our packages

Reported by: arma Owned by:
Priority: Medium Milestone:
Component: Applications/GetTor Version:
Severity: Normal Keywords: gettor-roadmap, ex-sponsor-19, ex-sponsor19
Cc:…, poly@…, ilv@…, cohosh Actual Points:
Parent ID: #9036 Points: 1
Reviewer: Sponsor:

Description (last modified by traumschule)

Some people can't fetch the full packages over gmail, because they're too big, because their gmail interactions are throttled, or because their Internet connection sucks too much to fetch 30MB.

We should deliver checksums with the download links with instructions how to compare them (#3893). Then they can get their Tor from wherever, and verify it.

Child Tickets

Change History (19)

comment:1 Changed 9 years ago by arma

Priority: normalmajor

comment:2 Changed 9 years ago by kaner

Owner: set to kaner
Status: newassigned

How about letting the user send an email with the trigger word "checksums" in the body of their email to GetTor?

The answer would include all currently known checksums.

GetTor could keep a checksums.txt file around that gets updated with every GetTor -p run (-p is how GetTor builds the packages to send out from the packages under /dist/.

comment:3 Changed 7 years ago by sukhbir

Cc:… added

comment:4 Changed 6 years ago by poly

Status: assignedneeds_review

I have implemented this feature and wanted to ask for feedback before submitting. I have modified "" and "" to support an additional type of request - "checksum". If the word checksum (case insensitive) matches anywhere in the email body, a list of all stored checksums in the email's locale is sent.

Here is sample output:
Find the actual implementation here:


comment:5 Changed 6 years ago by poly

Cc: poly@… added

comment:6 Changed 6 years ago by ilv

Cc: ilv@… added
Priority: majornormal

comment:7 Changed 6 years ago by ilv

The code looks good, but I'm not sure if this is the way we want to do it? I mean, to look for the checksums you open the links file and do some regexp, but this depends on the format of the message, which may change in the future. What if we add this feature in the scripts that upload the bundles to cloud services? We could generate a sha_checksums.txt file after the files have been uploaded, and all we have to do to send the checksums would be to send the contents of that file.

comment:8 Changed 6 years ago by ilv

After we automate the process of deliver the latest Tor Browser we could use this file:{{latest_version}}/sha256sums.txt (e.g.

comment:9 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:10 Changed 2 years ago by traumschule

Description: modified (diff)
Owner: changed from kaner to traumschule
Status: needs_reviewassigned
Summary: gettor should have a way to mail you sha1sums of our packagesgettor should deliver checksums of our packages

+1 for delivering checksums and instructions in the email

comment:11 Changed 2 years ago by traumschule

A code draft to add signature links and checksums is already in place:

I suggest to add simple instructions how to verify them to the README:

Please tell if you had other ideas.

comment:12 Changed 2 years ago by traumschule

Parent ID: #9036

Let #9036 adopt some children.

comment:13 Changed 2 years ago by traumschule

Owner: traumschule deleted

Won't have a chance to do this during the next weeks.

comment:14 Changed 19 months ago by gaba

Keywords: gettor-roadmap added
Sponsor: Sponsor19

comment:15 Changed 17 months ago by gaba

Keywords: ex-sponsor-19 added

Adding the keyword to mark everything that didn't fit into the time for sponsor 19.

comment:16 Changed 17 months ago by gaba

Keywords: ex-sponsor19 added
Sponsor: Sponsor19

Remove sponsor 19 and add a keyword ex-sponsor19 to mark all the tickets that could have been in the scope of the sponsor.

comment:17 Changed 13 months ago by cohosh

Cc: cohosh added

cc'ing cohosh on open GetTor tickets.

comment:18 Changed 9 months ago by cohosh

Points: 1

We now distribute a signature file, but we should include some instructions in the email text about how to use it.

comment:19 Changed 9 months ago by cohosh

Resolution: duplicate
Status: assignedclosed

This is actually now functionally a duplicate of #17425, let's use that ticket instead.

Note: See TracTickets for help on using tickets.