[tbb-bugs] #20209 [Applications/Tor Browser]: Torbrowser 6.5a3 packages now signed with sha1, not sha512

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 21 21:29:01 UTC 2016

#20209: Torbrowser 6.5a3 packages now signed with sha1, not sha512
 Reporter:  arma                                 |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201609,                |  Actual Points:
  GeorgKoppen201609                              |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by yawning):

 Replying to [comment:1 gk]:
 > Seems I need to go to Mount Doom again and forge a proper subkey this
 time. :( And check that I did it right. Good that we test those things on
 the alphas first. :)

 What.  Your subkey is fine, you don't need to regenerate it.

 $ gpg --export  0x4E2C6E8793298290 | gpg --list-packets --verbose`

 [unrelated stuff omitted]

 # off=43459 ctb=89 tag=2 hlen=3 plen=1092
 :signature packet: algo 1, keyid 4E2C6E8793298290
         version 4, created 1472037984, md5len 0, sigclass 0x18
         digest algo 10, begin of digest fc 1d
         hashed subpkt 2 len 4 (sig created 2016-08-24)
         hashed subpkt 27 len 1 (key flags: 02)
         hashed subpkt 9 len 4 (key expires after 2y0d0h0m)
         subpkt 16 len 8 (issuer key ID 4E2C6E8793298290)
         subpkt 32 len 540 (signature: v4, class 0x19, algo 1, digest algo

 The self-signature (primary key signing the sub key) is using `digest algo
 10` (SHA512, per RFC4880).

 The only thing that needs to happen is figure out what went wrong when you
 actually signed the bundles.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20209#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list