[tbb-bugs] #26045 [Applications/Tor Browser]: Create a new MAR signing key for ESR60

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jun 12 09:25:44 UTC 2018

#26045: Create a new MAR signing key for ESR60
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  reopened
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  GeorgKoppen201806,                   |  Actual Points:
  TorBrowserTeam201806                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by gk):

 Two additional bits of information that may help:

 1) I essentially used the key generation command as specified in our
 KeyGeneration doc, just adjusted to the new hash length. I.e. `certutil -d
 nssdb -S -x -g 4096 -Z SHA384 -n marsigner -s "CN=Tor Browser MAR signing
 key" -t,,`

 2) For signing I used the old script we had in the Gitian days,
 `signmars.sh` changed to check for the new cert9.db and to make sure it is
 using the new mar-tools (i.e. those built with the esr60 nightly).

 If you want to inspect the .der certs, I used `bug_26045` in my public
 `tor-browser-build` repo for building.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26045#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list