Opened 7 years ago

Closed 4 years ago

#5913 closed enhancement (fixed)

Check hashes for the packages downloaded during TBB build

Reported by: amieiro Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: Sebastian Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I've added some steps to verify the sha256 hash of the downloaded packages.

There's some more work to be done, mainly allowing for an easier way to update the expected hashes (for now we should do this manually when we update the package version) and for verifying gpg signatures, but this should be an improvement over what we have now.

The patch is in the 'check_download_hashes' branch of git://github.com/flavioamieiro/torbrowser.git (https://github.com/flavioamieiro/torbrowser/tree/check_download_hashes).

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by amieiro

Status: newneeds_review

It turns out there was a difference in how shasum worked in my environment, so the previous patch didn't work.

Following Sebastian's suggestion, I've pushed a commit to that branch that uses test to compare the expected hash and the output of shasum. The new commit is 9386292a29f (https://github.com/flavioamieiro/torbrowser/commit/9386292a29f)

I've tested this on an Archlinux machine and a debian (squeeze) one.

comment:2 Changed 7 years ago by amieiro

Following Shondoit's suggestion I changed the Makefile to use cut instead of awk to parse shasum's output. This is commit 45cbb9107 in my branch (https://github.com/flavioamieiro/torbrowser/commit/45cbb9107). This does feel more natural (at least to me). It would be great if you guys could test this on Windows and OSX (I've tested on Archlinux, but I can't see how this wouldn't work on debian, or any other GNU/Linux distro).

Also, it would be great if someone else could check the hashes I've put in the Makefile. I've checked signatures for all the packages that had them available (or at least that I could find sigs for), and for the rest I just had to trust my connection.

comment:3 Changed 4 years ago by cypherpunks

Resolution: fixed
Status: needs_reviewclosed

This is patch for Scripts to build the Tor Browser Bundles (old, pre 3.x)
Closing as fixed, please create a new ticket if it's still an issue for gitian-builder scripts.

Note: See TracTickets for help on using tickets.