[tbb-bugs] #15532 [Tor Browser]: Tor Browser 4.5 displays signature validation error during update

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 1 21:35:30 UTC 2015

#15532: Tor Browser 4.5 displays signature validation error during update
     Reporter:  mikeperry    |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-4.5-alpha
Actual Points:               |  Parent ID:
       Points:               |

Comment (by mcs):

 The difficulty in fixing this bug is that Mozilla tends to consider stderr
 as something that most users will ignore. In this specific case, a
 function named mar_verify_signatures() that is in
 modules/libmar/verify/mar_verify.c is called twice by the updater code.
 The first call, with the cert that was not used to sign the 4.5a5 MAR
 files, causes two error lines to be sent to stderr.

 Unfortunately, the code in mar_verify.c contains 32 fprintf(stderr,
 "ERROR: ...") statements. The information that is output could be very
 useful if there is a real problem with MAR file signature verification,
 and mar_verify.c is also used by the signmar command line program (where
 it makes sense to have the stderr output).

 Maybe we can add a bool parameter to mar_verify_signatures() that controls
 whether messages are written to stderr. Then we could enable them for the
 signmar command line program and disable them for the updater. I think the
 patch to do this will be somewhat large but fairly simple. We might even
 be able to make it so that the messages are logged to stderr when the
 app.update.log pref. is true, although that is a little tricky because the
 updater program itself cannot read prefs. But we could use an environment
 variable like Mozilla does for other things; look for PR_SetEnv() calls
 inside toolkit/xre/nsUpdateDriver.cpp.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15532#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list