[tbb-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 14 23:16:26 UTC 2017

#22612: Provide a list sha256's for verified binary downloads from mirrors
     Reporter:  BenjaminCarr              |      Owner:  tbb-team
         Type:  enhancement               |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:  sha256
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 While attempting to bump the version in the OSX Homebrew system in the
 middle of the night I discovered that the list of sha256s provided did not
 allign with the downloaded DMGs that were on the mirrors:
 shasum -a 256 TorBrowser-7.0.1-osx64_ar.dmg
 when on the list it is:

 Since distributing tainted software is of concern particularly on security
 related matters, I halted the PR and flagged it. Contributors on two other
 continents checked their mirrors, and we were all getting the same
 sha256s, but these did not align with the only published list of shas. The
 only publiclly avaailable sha list is for the signed software (here is
 v7.0.1): https://dist.torproject.org/torbrowser/7.0.1/sha256sums-unsigned-

 While we acknowledge the utility and use of the PGP *.asc signing, the
 homebrew (I have no idea what kind of reach we have for Tor products)
 currently require a sha256 on a downloaded file even if other verification
 methods are used. Thus to implement PGP verification we would need to do
 it on top of the sha256 unless we switch TorBrowser to `:latest` which we
 do not want to do for security reasons.

 As the tested sha256s are consistent across mirrors a published list of
 sha256s for known good installers/DMGs is requested; as I was not the only
 one confused; but rather four homebrew contributors/maintainers.

 Needing to wget all of the binaries to verify the sha's presents two
 problems, one the mirror used could be tainted/compromised; given recent
 seizures like those in France this is of modest concern. But even in
 affluent countries like the US highspeed broadband is not evenly
 distributed; and needing to pull 16 ~62MB DMG's is nearly a gigabyte of
 data just to verify the sha256s. A `verified` sha256 list solves both
 these problems.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22612>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list