[tbb-bugs] tbb-bugs Digest, Vol 73, Issue 21
mlp525
mlp525 at aol.com
Fri May 8 11:02:26 UTC 2020
Stop sending me emails
Sent from my iPhone
> On May 8, 2020, at 12:20 AM, tbb-bugs-request at lists.torproject.org wrote:
>
> Send tbb-bugs mailing list submissions to
> tbb-bugs at lists.torproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-bugs
> or, via email, send a message with subject or body 'help' to
> tbb-bugs-request at lists.torproject.org
>
> You can reach the person managing the list at
> tbb-bugs-owner at lists.torproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tbb-bugs digest..."
>
>
> Today's Topics:
>
> 1. Re: #34145 [Applications/Tor Browser]: Investigate fallout
> from transitioning to 77.0b1 (was: Fix fallout from transitioning
> to 77.0b1) (Tor Bug Tracker & Wiki)
> 2. Re: #34145 [Applications/Tor Browser]: Investigate fallout
> from transitioning to 77.0b1 (Tor Bug Tracker & Wiki)
> 3. Re: #34145 [Applications/Tor Browser]: Investigate fallout
> from transitioning to 77.0b1 (Tor Bug Tracker & Wiki)
> 4. Re: #29614 [Applications/Tor Browser]: Use SHA-256 algorithm
> for Windows timestamping (Tor Bug Tracker & Wiki)
> 5. Re: #29614 [Applications/Tor Browser]: Use SHA-256 algorithm
> for Windows timestamping (Tor Bug Tracker & Wiki)
> 6. Re: #34032 [Applications/Tor Browser]: Use Securedrop's
> Official https-everywhere ruleset (Tor Bug Tracker & Wiki)
> 7. Re: #29694 [Applications/Tor Browser]: Build Go binaries with
> `-buildmode=pie"? (Tor Bug Tracker & Wiki)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 07 May 2020 20:11:00 -0000
> From: "Tor Bug Tracker & Wiki" <blackhole at torproject.org>
> To: undisclosed-recipients: ;
> Subject: Re: [tbb-bugs] #34145 [Applications/Tor Browser]: Investigate
> fallout from transitioning to 77.0b1 (was: Fix fallout from
> transitioning to 77.0b1)
> Message-ID: <057.dbf6de58962da63910d0e68cb22c28cc at torproject.org>
> Content-Type: text/plain; charset="utf-8"
>
> #34145: Investigate fallout from transitioning to 77.0b1
> -------------------------------------------------+-------------------------
> Reporter: gk | Owner: tbb-
> | team
> Type: defect | Status: new
> Priority: High | Milestone:
> Component: Applications/Tor Browser | Version:
> Severity: Normal | Resolution:
> Keywords: tbb-mobile, ReleaseTrainMigration, | Actual Points:
> TorBrowserTeam202005, GeorgKoppen202005 |
> Parent ID: #33533 | Points:
> Reviewer: | Sponsor:
> -------------------------------------------------+-------------------------
>
> Old description:
>
>> Compilation is busted with our patches based on 77.0b1. This is the bug
>> to address this.
>
> New description:
>
> Compilation is busted with our patches based on 77.0b1. This is the bug to
> investigate this.
>
> --
>
> Comment (by gk):
>
> Attached a patch for fixing
> https://bugzilla.mozilla.org/show_bug.cgi?id=1636036 if we really need it
> to do it ourselves.
>
> --
> Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34145#comment:4>
> Tor Bug Tracker & Wiki <https://trac.torproject.org/>
> The Tor Project: anonymity online
>
> ------------------------------
>
> Message: 2
> Date: Thu, 07 May 2020 20:11:20 -0000
> From: "Tor Bug Tracker & Wiki" <blackhole at torproject.org>
> To: undisclosed-recipients: ;
> Subject: Re: [tbb-bugs] #34145 [Applications/Tor Browser]: Investigate
> fallout from transitioning to 77.0b1
> Message-ID: <057.c92699c169f797432958a7829122418d at torproject.org>
> Content-Type: text/plain; charset="utf-8"
>
> #34145: Investigate fallout from transitioning to 77.0b1
> -------------------------------------------------+-------------------------
> Reporter: gk | Owner: tbb-
> | team
> Type: defect | Status: new
> Priority: High | Milestone:
> Component: Applications/Tor Browser | Version:
> Severity: Normal | Resolution:
> Keywords: tbb-mobile, ReleaseTrainMigration, | Actual Points:
> TorBrowserTeam202005, GeorgKoppen202005 |
> Parent ID: #33533 | Points:
> Reviewer: | Sponsor:
> -------------------------------------------------+-------------------------
> Changes (by gk):
>
> * Attachment "0001-Bug-1636036-Always-generate-headers-from-IPDL.patch"
> added.
>
>
> --
> Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34145>
> Tor Bug Tracker & Wiki <https://trac.torproject.org/>
> The Tor Project: anonymity online
>
> ------------------------------
>
> Message: 3
> Date: Thu, 07 May 2020 20:18:24 -0000
> From: "Tor Bug Tracker & Wiki" <blackhole at torproject.org>
> To: undisclosed-recipients: ;
> Subject: Re: [tbb-bugs] #34145 [Applications/Tor Browser]: Investigate
> fallout from transitioning to 77.0b1
> Message-ID: <057.c3a93727a0bf079e7b24fd3e575cf02a at torproject.org>
> Content-Type: text/plain; charset="utf-8"
>
> #34145: Investigate fallout from transitioning to 77.0b1
> -------------------------------------------------+-------------------------
> Reporter: gk | Owner: tbb-
> | team
> Type: defect | Status: closed
> Priority: High | Milestone:
> Component: Applications/Tor Browser | Version:
> Severity: Normal | Resolution: fixed
> Keywords: tbb-mobile, ReleaseTrainMigration, | Actual Points:
> TorBrowserTeam202005, GeorgKoppen202005 |
> Parent ID: #33533 | Points:
> Reviewer: | Sponsor:
> -------------------------------------------------+-------------------------
> Changes (by gk):
>
> * status: new => closed
> * resolution: => fixed
>
>
> Comment:
>
> Okay, those were all the issues we had it seems, closing.
>
> --
> Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34145#comment:5>
> Tor Bug Tracker & Wiki <https://trac.torproject.org/>
> The Tor Project: anonymity online
>
> ------------------------------
>
> Message: 4
> Date: Thu, 07 May 2020 20:51:01 -0000
> From: "Tor Bug Tracker & Wiki" <blackhole at torproject.org>
> To: undisclosed-recipients: ;
> Subject: Re: [tbb-bugs] #29614 [Applications/Tor Browser]: Use SHA-256
> algorithm for Windows timestamping
> Message-ID: <057.343fcd74760ceadae1a6086c99a74b0d at torproject.org>
> Content-Type: text/plain; charset="utf-8"
>
> #29614: Use SHA-256 algorithm for Windows timestamping
> -------------------------------------------------+-------------------------
> Reporter: gk | Owner: gk
> Type: defect | Status:
> | needs_review
> Priority: Medium | Milestone:
> Component: Applications/Tor Browser | Version:
> Severity: Normal | Resolution:
> Keywords: tbb-sign, tbb-security, tbb-8.5, | Actual Points:
> GeorgKoppen202004, TorBrowserTeam202004R |
> Parent ID: #33168 | Points:
> Reviewer: | Sponsor:
> -------------------------------------------------+-------------------------
>
> Comment (by sysrqb):
>
> Okay, we're making progress on this. After misreading comment:17, gk
> walked me through the details of this process.
>
> For comparison, when using Authenticode Timestamping (with SHA-1),
> `osslsigncode verify` output something like:
>
> `$ osslsigncode verify torbrowser-install-win64-9.5a12_cs.exe`
> {{{
> Signature verification: ok
>
> Number of signers: 1
> Signer #0:
> Subject: /businessCategory=Private
> Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80
> S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor
> Project, Inc./CN=The Tor Project, Inc.
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
> Serial : 0F622EF31D0F1EF94E520DBD7A43E58C
>
> Number of certificates: 4
> Cert #0:
> Subject: /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
> Serial : 03F1B4E15F3A82F1149678B3D7D8475C
> ------------------
> Cert #1:
> Subject: /businessCategory=Private
> Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80
> S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor
> Project, Inc./CN=The Tor Project, Inc.
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
> Serial : 0F622EF31D0F1EF94E520DBD7A43E58C
> ------------------
> Cert #2:
> Subject: /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
> Serial : 06FDF9039603ADEA000AEB3F27BBBA1B
> ------------------
> Cert #3:
> Subject: /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
> Serial : 03019A023AFF58B16BD6D5EAE617F066
> }}}
>
> Now, with RFC 3161 Timestamping (using any hashing algorithm, but in this
> case using SHA-256), `osslsigncode verify` only prints the code signing
> certificates (as gk described). This makes sense, because the RFC 2161
> timestamp is appended onto the pkcs7 structure embedded in the PE file,
> and timestamping does not result in a new and independent cert chain.
>
>
> {{{
> Signature verification: ok
>
> Number of signers: 1
> Signer #0:
> Subject: /businessCategory=Private
> Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80
> S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor
> Project, Inc./CN=The Tor Project, Inc.
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
> Serial : 0F622EF31D0F1EF94E520DBD7A43E58C
>
> Number of certificates: 2
> Cert #0:
> Subject: /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
> Serial : 03F1B4E15F3A82F1149678B3D7D8475C
> ------------------
> Cert #1:
> Subject: /businessCategory=Private
> Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80
> S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor
> Project, Inc./CN=The Tor Project, Inc.
> Issuer : /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
> Serial : 0F622EF31D0F1EF94E520DBD7A43E58C
>
> Succeeded
> }}}
>
> Using `openssl pkcs7`, as gk described, we can see the asn.1 object
> appended within the unauthenticated portion. First, we must extract the
> signatures from the file, then we can parse the resulting pkcs7 object:
>
> {{{
> $ osslsigncode extract-signature -pem -in torbrowser-install-
> win64-9.5a12_cs.exe -out torbrowser-install-win64-9.5a12_cs.exe.sigs
> $ openssl pkcs7 -print -in torbrowser-install-win64-9.5a12_cs.exe.sigs
> }}}
>
> {{{
> unauth_attr:
> object: undefined (1.3.6.1.4.1.311.3.3.1)
> set:
> SEQUENCE:
> 0:d=0 hl=4 l=3761 cons: SEQUENCE
> 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
> 15:d=1 hl=4 l=3746 cons: cont [ 0 ]
> 19:d=2 hl=4 l=3742 cons: SEQUENCE
> 23:d=3 hl=2 l= 1 prim: INTEGER :03
> 26:d=3 hl=2 l= 15 cons: SET
> 28:d=4 hl=2 l= 13 cons: SEQUENCE
> 30:d=5 hl=2 l= 9 prim: OBJECT :sha256
> 41:d=5 hl=2 l= 0 prim: NULL
> 43:d=3 hl=2 l= 120 cons: SEQUENCE
> 45:d=4 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
> [snip]
> 282:d=8 hl=2 l= 47 cons: SEQUENCE
> 284:d=9 hl=2 l= 3 prim: OBJECT :commonName
> 289:d=9 hl=2 l= 40 prim: PRINTABLESTRING :DigiCert SHA2
> Assured ID Timestamping CA
> 331:d=6 hl=2 l= 30 cons: SEQUENCE
> 333:d=7 hl=2 l= 13 prim: UTCTIME :191001000000Z
> 348:d=7 hl=2 l= 13 prim: UTCTIME :301017000000Z
> 363:d=6 hl=2 l= 76 cons: SEQUENCE
> 365:d=7 hl=2 l= 11 cons: SET
> 367:d=8 hl=2 l= 9 cons: SEQUENCE
> 369:d=9 hl=2 l= 3 prim: OBJECT :countryName
> 374:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US
> 378:d=7 hl=2 l= 23 cons: SET
> 380:d=8 hl=2 l= 21 cons: SEQUENCE
> 382:d=9 hl=2 l= 3 prim: OBJECT :organizationName
> 387:d=9 hl=2 l= 14 prim: PRINTABLESTRING :DigiCert, Inc.
> 403:d=7 hl=2 l= 36 cons: SET
> 405:d=8 hl=2 l= 34 cons: SEQUENCE
> 407:d=9 hl=2 l= 3 prim: OBJECT :commonName
> 412:d=9 hl=2 l= 27 prim: PRINTABLESTRING :TIMESTAMP-
> SHA256-2019-10-15
> [snip]
>
> }}}
>
> --
> Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29614#comment:20>
> Tor Bug Tracker & Wiki <https://trac.torproject.org/>
> The Tor Project: anonymity online
>
> ------------------------------
>
> Message: 5
> Date: Thu, 07 May 2020 20:57:03 -0000
> From: "Tor Bug Tracker & Wiki" <blackhole at torproject.org>
> To: undisclosed-recipients: ;
> Subject: Re: [tbb-bugs] #29614 [Applications/Tor Browser]: Use SHA-256
> algorithm for Windows timestamping
> Message-ID: <057.89fa7bdff8c3a6b290e623dc26266614 at torproject.org>
> Content-Type: text/plain; charset="utf-8"
>
> #29614: Use SHA-256 algorithm for Windows timestamping
> -------------------------------------------------+-------------------------
> Reporter: gk | Owner: gk
> Type: defect | Status: closed
> Priority: Medium | Milestone:
> Component: Applications/Tor Browser | Version:
> Severity: Normal | Resolution: fixed
> Keywords: tbb-sign, tbb-security, tbb-9.5a12, | Actual Points:
> GeorgKoppen202004, TorBrowserTeam202004R |
> Parent ID: #33168 | Points:
> Reviewer: | Sponsor:
> -------------------------------------------------+-------------------------
> Changes (by sysrqb):
>
> * keywords:
> tbb-sign, tbb-security, tbb-8.5, GeorgKoppen202004,
> TorBrowserTeam202004R
> =>
> tbb-sign, tbb-security, tbb-9.5a12, GeorgKoppen202004,
> TorBrowserTeam202004R
> * status: needs_review => closed
> * resolution: => fixed
>
>
> Comment:
>
> Okay, all of the installers for Windows were timestamped using SHA-256 in
> 9.5a12.
>
> I merged the spec patch with commit
> `f07e8109ef72e895fd87b83413743828cfa180cc`.
>
> I think we're done here. Thanks for figuring this out, gk!
>
> --
> Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29614#comment:21>
> Tor Bug Tracker & Wiki <https://trac.torproject.org/>
> The Tor Project: anonymity online
>
> ------------------------------
>
> Message: 6
> Date: Fri, 08 May 2020 02:31:17 -0000
> From: "Tor Bug Tracker & Wiki" <blackhole at torproject.org>
> To: undisclosed-recipients: ;
> Subject: Re: [tbb-bugs] #34032 [Applications/Tor Browser]: Use
> Securedrop's Official https-everywhere ruleset
> Message-ID: <061.5f479d1d3bb16a5d28d5d12a648ef5ae at torproject.org>
> Content-Type: text/plain; charset="utf-8"
>
> #34032: Use Securedrop's Official https-everywhere ruleset
> -----------------------------------------------+--------------------------
> Reporter: sysrqb | Owner: tbb-team
> Type: defect | Status: closed
> Priority: Medium | Milestone:
> Component: Applications/Tor Browser | Version:
> Severity: Normal | Resolution: fixed
> Keywords: tbb-9.5a12, TorBrowserTeam202004R | Actual Points:
> Parent ID: | Points:
> Reviewer: | Sponsor:
> -----------------------------------------------+--------------------------
>
> Comment (by cypherpunks):
>
> FWIW, the links have the form: `https://securedrop.org/https-everywhere
> //latest-rulesets-timestamp`
>
> --
> Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34032#comment:4>
> Tor Bug Tracker & Wiki <https://trac.torproject.org/>
> The Tor Project: anonymity online
>
> ------------------------------
>
> Message: 7
> Date: Fri, 08 May 2020 04:20:17 -0000
> From: "Tor Bug Tracker & Wiki" <blackhole at torproject.org>
> To: undisclosed-recipients: ;
> Subject: Re: [tbb-bugs] #29694 [Applications/Tor Browser]: Build Go
> binaries with `-buildmode=pie"?
> Message-ID: <057.90a24b7af2f2172c990d963340ed4db3 at torproject.org>
> Content-Type: text/plain; charset="utf-8"
>
> #29694: Build Go binaries with `-buildmode=pie"?
> --------------------------------------+--------------------------
> Reporter: gk | Owner: tbb-team
> Type: defect | Status: new
> Priority: Medium | Milestone:
> Component: Applications/Tor Browser | Version:
> Severity: Normal | Resolution:
> Keywords: tbb-rbm | Actual Points:
> Parent ID: | Points:
> Reviewer: | Sponsor:
> --------------------------------------+--------------------------
>
> Comment (by cypherpunks):
>
>> (It goes without saying that this is only relevant for platforms where
> this flag is actually supported, i.e. not for Windows binaries.)
> Supported on Windows and is the default since Go 1.15
> (https://github.com/golang/go/commit/c76befe0f40dfbb38a54c16d1845b97e4580797c)
>
> --
> Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29694#comment:4>
> Tor Bug Tracker & Wiki <https://trac.torproject.org/>
> The Tor Project: anonymity online
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> tbb-bugs mailing list
> tbb-bugs at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-bugs
>
>
> ------------------------------
>
> End of tbb-bugs Digest, Vol 73, Issue 21
> ****************************************
More information about the tbb-bugs
mailing list