[tor-bugs] #13379 [Tor Browser]: Sign our MAR files

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 25 08:38:04 UTC 2014 

#13379: Sign our MAR files
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mcs
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-security, TorBrowserTeam201411R
  Browser                |  Parent ID:
   Resolution:           |
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 Replying to [comment:19 mcs]:
 > Replying to [comment:17 boklm]:
 > > The change to add the --createIncrementalMARs command line to
 update_responses looks good.
 > >
 > > The other changes introduce a single makefile rule to generate the
 incremental mar files and sign them. I am wondering if we should separate
 the incremental mar files generation, and the signature, to allow a
 process like this:
 > > - build tor-browser
 > > - generate incremental mars
 > > - upload sha256sums.incrementals.txt of unsigned mar files
 > > - check that sha256sums.txt and sha256sums.incrementals.txt are
 matching
 > > - sign the mar files, update responses xml files and upload
 >
 > It would be simple to keep 'incrementals' as a separate Make target.
 The reason I put everything in one script was to make it less likely that
 things would happen in the wrong order.
 >
 > gk or mikeperry:  What do you think?  What will the release process look
 like once we need to sign the MAR files?

 I think we should use a process that allows independent builders to check
 whether they got the same results as we easily. And this means, I think,
 we should follow boklm's idea: building everything including the
 incremental MAR files and uploading everything and then in a separate step
 doing the signing and all the things needed for getting the updates
 delivered. I see at least two important reasons why we want to do it this
 way:
 1) We want to have many builders to make it less likely our builds are
 compromised. Building with gitian is already tedious and we should not
 make it even more difficult to get matching builds which we we would if we
 included the signing before the SHA sum creation.
 2) There may be people that trust our reproducible build system but not
 the complex signing process/code and fetching some update from some
 server. Following boklm's idea they could pretty well get the benefits of
 building Tor Browser themselves and applying the MAR update manually
 (which users are already doing).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list