[tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Dec 31 14:33:47 UTC 2010 

#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
 Reporter:  rransom                   |       Owner:  erinn
     Type:  defect                    |      Status:  new  
 Priority:  critical                  |   Milestone:       
Component:  Tor bundles/installation  |     Version:       
 Keywords:                            |      Parent:       
--------------------------------------+-------------------------------------
 Currently, [https://www.torproject.org/docs/verifying-signatures we tell
 users] that the GPG signatures linked to from the download page 'allow you
 to verify the file you've downloaded is exactly the one that we intended
 you to get. For example, tor-browser-1.3.15_en-US.exe is accompanied by
 tor-browser-1.3.15_en-US.exe.asc.'  This is false.

 The GPG signatures only prove that a particular person associated with The
 Tor Project has signed a particular file; they do not authenticate the
 filename, thus they do not authenticate the package name or the package
 version, and they do not prove that a particular package file is the final
 build of a package version which we want to distribute to users.  This
 leaves our users vulnerable to version-rollback attacks and package-
 substitution attacks if they download packages from mirrors or over non-
 HTTPS connections.

 We should:

 * switch to signing the output of `sha256sum` on a package file, which
 includes the filename and a hash of the file, rather than signing the
 package file directly, and
 * explain on the verifying-signatures page how to verify downloaded
 packages using the signed SHA256SUM files, including explaining that
 unless there is a blank line after the '`Hash: `' line and before the
 hash-and-filename lines, the SHA256SUM file has been tampered with.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list