[tor-bugs] #13379 [Tor Browser]: Sign our MAR files

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 11 14:03:38 UTC 2014 

#13379: Sign our MAR files
-----------------------------+--------------------------
     Reporter:  mikeperry    |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  major        |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-security
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+--------------------------

Comment (by gk):

 Replying to [comment:6 mcs]:
 > Replying to [comment:5 gk]:
 > > Given your knowledge of the MAR signing code Mozilla provides do you
 think there are general obstacles to extend that to add support for a
 verification method relying on more than one key?
 >
 > I am not sure exactly what you are asking.  Mozilla currently supports
 embedding zero or more signatures in a MAR file.  The signatures are added
 using a program named signmar which is really just a more capable variant
 of the mar program.  signmar requires an NSS certificate database that
 contains a private key plus a self-signed certificate.
 >
 > Then, if you configure the Firefox build with --enable-verify-mar, one
 or two certificates are embedded in the updater program and signatures
 contained within any MAR file that is downloaded are checked against those
 certificates.  All signatures must be verified using one or the other cert
 or the MAR file will be rejected; that is, if the MAR file contains two
 signatures both must be verifiable.  And at least one signature must be
 present when --enable-verify-mar is turned on.

 Thanks. I was basically asking whether it is easily possible to avoid the
 bottleneck of just having one signing key. Originally, I was thinking in
 order to avoid that we somehow need to bolt the verification of the
 signing and hashing we do for the reproducible builds onto the MAR signing
 as a kind of additional assurance that everything is okay (like we have it
 now with a signature for each package and an "advanced verification" via
 the sah256sums and a couple of builder who sign that file with their own
 key). But, great that Mozilla supports having multiple signing keys as we
 may be able to leverage that work to get the same results or at least
 comparable ones (security-wise).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list