Opened 6 years ago

Closed 6 months ago

#8346 closed defect (wontfix)

Vidalia Bundles have bad signatures

Reported by: mo Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Normal Keywords: needs-triage
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

All the Vidalia bundles still have a broken signature.

gpg --verify
vidalia-bridge-bundle-0.2.3.25-0.2.21.exe.asc
vidalia-bridge-bundle-0.2.3.25-0.2.21.exe
gpg: Signature made Mon 03 Dec 2012 07:41:14 PM CET using RSA key ID
63FEE659
gpg: BAD signature from "Erinn Clark <erinn@…>"

(same for exit/relay bundles)

Child Tickets

Change History (10)

comment:1 Changed 6 years ago by erinn

Resolution: fixed
Status: newclosed

Should all be updated and fixed now. Please reopen if you have further problems. Thanks!

comment:2 Changed 6 years ago by mo

Resolution: fixed
Status: closedreopened

vidalia-relay-bundle-0.2.3.25-0.2.21.exe.asc
gpg: Signature made Mon 03 Dec 2012 06:41:20 PM UTC using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark <erinn@…>"

comment:3 Changed 6 years ago by erinn

Resolution: fixed
Status: reopenedclosed

That isn't the version that's linked from the download page and hasn't been for a while, but I've removed it from the website anyway to prevent further confusion.

comment:4 Changed 6 years ago by mikeperry

Resolution: fixed
Status: closedreopened

Do we have a guess as to what happened to cause the signatures to mismatch?

Also, shouldn't we do something about the archive? I am not sure what the best answer is. Perhaps it is simply removing those files+sigs and adding a signed statement about corruption, but we should try to find out what the cause of the corruption was in the first place (if we can).

comment:5 Changed 6 years ago by nickm

As I understand it, it was a snafu/clusterfuck surrounding the release/unrelease of a Tor containing the ill-fated and under-tested OpenSSL 1.0.1d. I've suggested (if I recall correctly!) that the right solution is to replace the signature file with a tor-...why_no_sig file explaining what happened. My rationale was that removing the signature without comment would be silly and leaving it there would be silly and replacing it with a post hoc signature would be extremely silly.

Helix has (if I understand correctly) agreed that this would be a good and easy idea.

comment:6 Changed 6 years ago by mo

Some of the vidalia bundles in still have bad signatures, and win32/tor-0.2.3.25-win32.exe completely lacks a signature file. This is current /dist, not the archive.

Problem with signature of ./win32/tor-0.2.3.25-win32.exe
gpg: can't open `./win32/tor-0.2.3.25-win32.exe.asc' gpg: verify signatures failed: file open error

Problem with signature of ./vidalia-bundles/vidalia-relay-bundle-0.2.3.25-0.2.21.exe
gpg: Signature made Mon 03 Dec 2012 06:41:20 PM UTC using RSA key ID 63FEE659 gpg: BAD signature from "Erinn Clark <erinn@…>"

Problem with signature of ./vidalia-bundles/vidalia-exit-bundle-0.2.3.25-0.2.21.exe
gpg: Signature made Mon 03 Dec 2012 06:41:17 PM UTC using RSA key ID 63FEE659 gpg: BAD signature from "Erinn Clark <erinn@…>"

Problem with signature of ./vidalia-bundles/vidalia-bundle-0.2.3.25-0.2.21-i386.dmg
gpg: Signature made Mon 03 Dec 2012 06:42:06 PM UTC using RSA key ID 63FEE659 gpg: BAD signature from "Erinn Clark <erinn@…>"

comment:7 Changed 4 years ago by erinn

Keywords: needs-triage added

comment:8 Changed 4 years ago by cypherpunks

Priority: blockernormal
Status: reopenedneeds_information

Anybody plans to process archive to find problem signatures for deprecated bundles?

comment:9 Changed 12 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:10 Changed 6 months ago by arma

Resolution: wontfix
Status: needs_informationclosed

I'm going to close this ticket, since we have better strategies now for making sure that signatures will work, and the old packages will remain however they were.

Note: See TracTickets for help on using tickets.