[tor-bugs] #13379 [Tor Browser]: Sign our MAR files

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 15 14:06:48 UTC 2014


#13379: Sign our MAR files
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mcs
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-security,
  Browser                |  TorBrowserTeam201412,TorBrowserTeam201412R
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 Replying to [comment:36 mcs]:
 > Kathy and I made changes to use a SHA512-based signature.  Please
 review.
 >
 > https://gitweb.torproject.org/user/brade/tor-
 browser.git/commit/?h=bug13379-02&id=14447aca2f31c56ccadc289cef5f756e97d1f3a9
 >
 > I created a test certificate and exported it to a .der file by using
 these commands:
 > {{{
 > ./certutil -d .nss -N
 > ./certutil -d .nss -S -x -g 4096 -Z SHA512 -n marsigner -s "CN=Tor
 Browser MAR signing key" -t,,
 > ./certutil -d .nss -L -r -n marsigner -o marsigner.der
 > }}}

 This one looks good to me. Just one question: Why do we need the changes
 in cryptox.h? I was under the impression we have `MAR_NSS` defined anyway
 and thus there is no risk we would enter the `#elif XP_MACOSX` and `#elif
 defined(XP_WIN)` blocks.

 I think I am going to test the MAR signing a bit. What scenarios did your
 testing already cover?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:38>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list