[tor-bugs] #13379 [Tor Browser]: Sign our MAR files
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 17 12:40:42 UTC 2014
#13379: Sign our MAR files
-------------------------+-------------------------------------------------
Reporter: | Owner: mcs
mikeperry | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-security,
Browser | TorBrowserTeam201412,TorBrowserTeam201412R
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
If I sign the .mar files with the key embedded in the second certificate I
get
{{{
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
}}}
But the update with the full .mar file works and the one with the
incremental .mar file is broken as described above. I guess these errors
occur as the verifier is first trying the first key which results in an
error and then falling back to the second one. I am not sure whether users
get to see these errors during a "real" update. They might get confused
and thus it might be better to show errors only if the signature
verification fails. On the other hand it might be helpful later on when we
embed more than one signature to log verification failures even if the
signature verification succeeds (for instance if we have two signatures
but require only one to succeed). So, maybe we should leave that for now
as-is?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:45>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list