[tor-bugs] #13379 [Tor Browser]: Sign our MAR files

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 17 22:11:53 UTC 2014 

#13379: Sign our MAR files
-----------------------------+-------------------------------------------
     Reporter:  mikeperry    |      Owner:  mcs
         Type:  defect       |     Status:  needs_review
     Priority:  major        |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-security,MikePerry201411R
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-------------------------------------------

Comment (by mcs):

 Here are a few more details on the signing key and cert.

 The certificates files that get embedded in the updater are contained in
 these files within the tor-browser tree:
 {{{
 toolkit/mozapps/update/updater/dep1.der
 toolkit/mozapps/update/updater/dep2.der
 toolkit/mozapps/update/updater/nightly_aurora_level3_primary.der
 toolkit/mozapps/update/updater/nightly_aurora_level3_secondary.der
 toolkit/mozapps/update/updater/release_primary.der
 toolkit/mozapps/update/updater/release_secondary.der
 toolkit/mozapps/update/updater/xpcshellCertificate.der
 }}}

 dep1.der and dep2.der are no longer used; Mozilla used to use them for
 "depend" builds (maybe for their try server?).

 The nightly_aurora_level3*.der files will be embedded in nightly builds.
 We need to decide what to do about those, if anything (at the moment,
 people who run our nightly builds do not expect to receive automated
 updates).

 The release_*.der files will be embedded in our alpha, beta, and release
 builds.  These are the most important ones.

 The xpcshellCertificate.der is used by Mozilla for testing; it is embedded
 in all other builds, e.g., developer builds that lack an update channel.

 I generated a test certificate by running these two commands:
 {{{
 ./certutil -d .nss -N
 ./certutil -d .nss -S -x -g 3072 -n marsigner -s "CN=Tor Browser MAR
 signing key" -t,,
 }}}
 I exported it to a .der file via:
 {{{
 ./certutil -d .nss -L -r -n marsigner -o marsigner.der
 }}}
 I then replaced both release_primary.der and release_secondary.der with
 the contents of marsigner.der (currently, a signature is considered "good"
 if the key associated with either the primary or the secondary
 certificates was used to create the signature; other policies could be
 implemented).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list