[tor-bugs] #13379 [Tor Browser]: Sign our MAR files
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 17 15:43:26 UTC 2014
#13379: Sign our MAR files
-------------------------+-------------------------------------------------
Reporter: | Owner: mcs
mikeperry | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-security,
Browser | TorBrowserTeam201412,TorBrowserTeam201412R
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
Replying to [comment:43 gk]:
> Yes, you guessed correctly. I am not signing on my build server as I
don't put the private keys there and had forgotten to update my local
signmar copy. Interesting that it signed the .mar at all with the new
key... Anyway, I found a new problem: signature verification works but for
some reason my incremental update is broken now. In the update.log I get:
> {{{
> SOURCE DIRECTORY /home/firefox64/signtest/tor-browser_en-
US/Browser/updates
> DESTINATION DIRECTORY /home/firefox64/signtest/tor-browser_en-US/Browser
> failed: 23
> calling QuitProgressUI
> }}}
> The full update is working fine, though. I was curious and tested a
vanilla 4.5-alpha-2 and made exactly the same changes as I did when
testing your patch and it turned out that incremental update is working.
Thus, I suspect there is something in the new code that is causing this.
Any ideas?
Error 23 is "VERSION_DOWNGRADE_ERROR". The error codes are here:
https://gitweb.torproject.org/tor-
browser.git/tree/toolkit/mozapps/update/common/errors.h
I am not sure exactly what happened, but the product information block for
the incremental MAR file must have contained the wrong version number.
Unfortunately, the mar and signmar programs have a default version number
embedded in them at build time, which is used to set the version within
the Product Information Block of created MAR files. So we need to be
really careful which mar or signmar program is used when the MAR files are
created or we will need to modify Mozilla's make_incremental_update.sh and
make_full_update.sh scripts to let us pass in the product version when we
create a MAR file.
You can use the -T option with mar and signmar to see the version number
that is embedded within the product info block. Kathy and I were hoping
that using the default version number would not be a problem, but it may
be depending on our signing procedure. Also, the mar and signmar programs
support a -i option that can be used to "refresh" the product info that is
embedded within a MAR file (including setting a new version number). The
refresh can only be done on an unsigned MAR file. But if we need to, we
could do that before signing the files. But I would like to know where
the process went wrong for you (if you can figure that out).
> And one request: Could you make the path to the nssdb configurable by an
environment variable (e.g. NSSDBPATH)? For security reasons I plan to keep
my signing keys offline using them offline directly from the storage
device and hard-coding the path to the database does not work so well
under that scenario.
Yes, will do.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:48>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list