[tbb-bugs] #26045 [Applications/Tor Browser]: Create a new MAR signing key for ESR60

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 11 14:20:14 UTC 2018


#26045: Create a new MAR signing key for ESR60
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  reopened
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  GeorgKoppen201806,                   |  Actual Points:
  TorBrowserTeam201806                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * cc: mcs, brade (added)


Comment:

 Okay, I tested quite a bit. Here is the scenarios I covered:

 old=BZIP2 new=LZMA

 1) Signing old and new MAR file based on latest esr60 tor browser code
 with currently used cert
   a) used esr60 nightly (just tested old MAR compression)
     ERROR: Unknown signature algorithm ID.
     ERROR: Unknown signature algorithm ID.
   b) used esr52 alpha
     i) old worked, updated to esr60 nightly
     ii) new did not work, did essentially nothing and gave no errors

 2) Signing old and new MAR file based on latest esr60 tor browser code
 with new cert
   a) esr60 nightly (tested old and new MAR compression)
     ERROR: Error verifying signature.
     ERROR: Error verifying signature.
   b) esr52 nightly (just tested with old MAR compression)
     ERROR: Unknown signature algorithm ID 2.
     ERROR: Unknown signature algorithm ID 2.

 3) Taking the result from 1a)i
    a) applying old with nssdb4
      ERROR: Unknown signature algorithm ID.
      ERROR: Unknown signature algorithm ID.
    b) applying new with nssdb4
      ERROR: Unknown signature algorithm ID.
      ERROR: Unknown signature algorithm ID.
    c) applying old with nssdb6
      ERROR: Error verifying signature.
      ERROR: Error verifying signature.
    d) applying new with nssdb6
      ERROR: Error verifying signature.
      ERROR: Error verifying signature.

 Everything looks good except in 3c) and 3d). I had expected that in 3c)
 nothing happens and in 3d) the update with the new cert works. I tried to
 debug that and came earlier to the conclusion that I need to replace the
 nightly certs with the new certs as well for testing purposes. That's
 already included.

 Now, I wonder what is going on. If I use the new mar-tools and create a
 new `nssdb` importing the public part of the new cert into it using
 {{{
 certutil -A -d nssdb -n marsigner -t,, -i ../../tor-
 browser/toolkit/mozapps/update/updater/release_primary.der
 }}}
 and doing now a verification of the signature of the two MAR files used in
 3c) and 3d) the check succeeds. I.e.:
 {{{
 signmar -d nssdb -n marsigner -v 8.0a10_nssdb6/tor-browser-linux64-tbb-
 nightly-new-nightly-cert-unsigned.mar
 }}}
 returns nothing while importing the second new cert and checking against
 that one fails (which is expected as the key behind the first one signed
 the MAR files).

 So, this makes me feel optimistic. Still, it would be nice to understand
 why the update in 3d) failed and why there was a signature verification
 error in 3c).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26045#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list