[tor-bugs] #13379 [Tor Browser]: Sign our MAR files

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 16 13:27:50 UTC 2014 

#13379: Sign our MAR files
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mcs
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-security,
  Browser                |  TorBrowserTeam201412,TorBrowserTeam201412R
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 Okay, here is what I've got so far:

 1) signmar.sh is not executable
 2) I don't get the update working it seems. I get
 {{{
 ERROR: Unsupported signature algorithm (SHA1 with RSA).
 ERROR: Unsupported signature algorithm (SHA1 with RSA).
 }}}
 How do I debug this? Any ideas? I did the following:

 1) I created two certificates and added them atop of your tor-browser
 changes (commit 14447aca2f31c56ccadc289cef5f756e97d1f3a9) and tagged that
 (I just checked that I really included the 4k-bit certs with SHA-512)
 2) I checked out your tor-browser-bundle branch (commit
 186d339c394a7083faed064a218280fe52500f1b) and built a 4.5-alpha-2 with the
 tag mentioned in 1)
 3) I bumped the version to 4.5-alpha-3 and excluded HTTPS-Everywhere from
 the bundling step and built that version, too.
 4) I modified the config.yml to allow an incremental update from
 4.5-alpha-2 to 4.5-alpha-3
 5) I built that incremental update.
 6) I downloaded the .mar files and the 4.5-alpha-2*tar.xz on my local
 computer and signed the .mar files (verifying the signature with `signmar`
 gives me no error and there is indeed a signature available; `marsigner`
 on my local computer is indeed the cert I added to tor-browser)
 7) I extracted 4.5-alpha-2*tar.xz
 8) I followed
 https://wiki.mozilla.org/Software_Update:Manually_Installing_a_MAR_file
 (Steps for Linux)
 9) `update.log` shows basically "failed: 19" and the above error messages
 are shown

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:41>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list