[tbb-bugs] #20209 [Applications/Tor Browser]: Torbrowser 6.5a3 packages now signed with sha1, not sha512

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 21 21:29:01 UTC 2016 

#20209: Torbrowser 6.5a3 packages now signed with sha1, not sha512
-------------------------------------------------+-------------------------
 Reporter:  arma                                 |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201609,                |  Actual Points:
  GeorgKoppen201609                              |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by yawning):

 Replying to [comment:1 gk]:
 > Seems I need to go to Mount Doom again and forge a proper subkey this
 time. :( And check that I did it right. Good that we test those things on
 the alphas first. :)

 What.  Your subkey is fine, you don't need to regenerate it.

 {{{
 $ gpg --export  0x4E2C6E8793298290 | gpg --list-packets --verbose`

 [unrelated stuff omitted]

 # off=43459 ctb=89 tag=2 hlen=3 plen=1092
 :signature packet: algo 1, keyid 4E2C6E8793298290
         version 4, created 1472037984, md5len 0, sigclass 0x18
         digest algo 10, begin of digest fc 1d
         hashed subpkt 2 len 4 (sig created 2016-08-24)
         hashed subpkt 27 len 1 (key flags: 02)
         hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
         subpkt 16 len 8 (issuer key ID 4E2C6E8793298290)
         subpkt 32 len 540 (signature: v4, class 0x19, algo 1, digest algo
 10)
         data:
 C6E1E79C88EA0AF4DFCCAA7FAC0227893D2E0E905C70063CAA8426F5F18743333A18D6E2E9F067501A10952891AD100996978316949E7401DB53218818CFA460F17C783ECF282DE3D989D4F27AB352C95F08DA8E231AB4A6D362D35EF7CF9346BAB86592841BCC41F7E061A55CEBDDFD755F9CE79DFA97032D688D7BF8E5CF0D92CC1DB5A0106EF610A6466F80DD8A7159D5905A06022A522D9C45BC011EC83938F2D51D50F5F84EBE6EF2A03AFF1E9DE744532D8BF66A110F5929FAD7FD6FF940F9FFFB54E159DF630D31F6613B235BF94CD5D3C15418F5EC1A69D614DA194D61596E882C26A917329D7DC0421BA3A96361F6847AE4B0827524095AC11EBAF4BB41497CD084653F20F5DE50038B26F84A9E7ACA102431F32DEC01E521FD9DFAAA61F41D9DB47D566774AE5723994AA2666B9579C535CDDF177287AF1F2194FAEB212106F6A4495B6E163A71CBA35195C0FA68C2BA04F65FD824EE7CDEA2D1BCDC30BE7B4625DCD5226F576E21A7113CBD3F71D62DFBD0A6F11E240B18E64D914DA4DEDA929E880DFAEEEB9800C19CB60DF82E781B81362379C29F41B56E1740CD62FE2192DB8FEB73838756BB25F41CB45B01D446220ADCB1D1520688BC30CFF541CD2FF08240624D028C682257126C071B68990A577208A865ED0F8C2B8CBC912BE5B100143032A70AF69D1B3A764A19968
 3AEF254DAF594DB429E035BADD8
 }}}

 The self-signature (primary key signing the sub key) is using `digest algo
 10` (SHA512, per RFC4880).

 The only thing that needs to happen is figure out what went wrong when you
 actually signed the bundles.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20209#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list