[tor-bugs] #13379 [Tor Browser]: Sign our MAR files
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 27 11:52:27 UTC 2014
#13379: Sign our MAR files
-------------------------+-------------------------------------------------
Reporter: | Owner: mcs
mikeperry | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-security, TorBrowserTeam201411R
Browser | Parent ID:
Resolution: |
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
There are some wrinkles here when generating certificates:
1) We are stuck with SHA1 for the moment which is not optimal to say the
least. I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1105689 to
get that fixed upstream. Not sure how easy it would be to loosen that
constraint ourselves. Maybe we'd need to just get rid of that check in
https://mxr.mozilla.org/mozilla-
central/source/modules/libmar/verify/mar_verify.c#330
2) Newer `certuils` versions use SHA256 by default. This got implemented
by https://bugzilla.mozilla.org/show_bug.cgi?id=1058933. So be sure to
check the resulting cert with something like `openssl x509 -in
marsigner2.der -inform der -text | grep sha1WithRSAEncryption`
3) If you happen to have such a newer `certutils` you may change the
default hash algorithm with the `-Z` option which is basically
undocumented (this is
https://bugzilla.mozilla.org/show_bug.cgi?id=1058870)
4) It is not possible to store two certs with the same CN in the database
(even if the nicknames are different).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:30>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list