[tor-bugs] #13201 [Website]: Tor Installation OS X Step Three
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 20 15:06:12 UTC 2014
#13201: Tor Installation OS X Step Three
-------------------------------------------------+-------------------------
Reporter: tiredpixel | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Website | Version:
Keywords: osx, homebrew, installation, | Actual Points:
verification, checksums | Points:
Parent ID: |
-------------------------------------------------+-------------------------
Please find below a copy of a letter I recently wrote to
help at rt.torproject.org regarding some thoughts about Tor Installation OS X
Step Three, as detailed on the website. As requested, I am submitting it
as a ticket. I am marking it as a defect, as some of it at least refers to
the possibility of the installation instructions for OS X not being up-to-
date (although other parts could be considered as improvements). Please
excuse it not being broken up into smaller tickets; I am not sure where
any such division would be best. Let's take this as a place to start, and
break anything up if it is clear to someone and deemed useful. :)
Peace,
tiredpixel
---
Dear Tor,
On https://www.torproject.org/docs/tor-doc-osx.html.en 'Step Three', it
says
Unfortunately, Homebrew does not come with integrated verification for
downloads, and anyone could submit a modified Tor! Currently, we don't
have good instructions on how to verify the Tor download on Mac OSX. If
you think you do, please let us know!
Is this up-to-date? Homebrew contains the ability to checksum both bottles
and sources packages, and these appear to be specified in the build recipe
for Tor:
https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb
Modifying my local `/usr/local/Library/Formula/tor.rb` and purposely
corrupting the checksums seemed to yield the desired behaviour (after
clearing the caches), with the bottle installation being skipped because
of the failed checksum
(https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L11),
and then the source installation failing because of that failed checksum
(https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L6).
Admittedly, this does not make it easy for the user to verify the
installation themselves, and requires a large amount of trust in Homebrew.
However, presuming the trust in the package manager itself installing from
the locally downloaded package, perhaps it is possible for the concerned
user to skip the bottle installation and force a source installation
(slower, of course, but not massively so) using something like:
brew install tor --build-from-source
Then, observing the output for the location of the cache (which could also
be guessed from the version reported in `brew info tor`), fetching the
signature from the Tor website, and verifying:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz.asc -o tor-
sig.asc
gpg --verify tor-sig.asc /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
However, this also requires GPG, of course, which in turn can be installed
using Homebrew or GPGTools (binary package), so perhaps this doesn't make
the user much more at ease. Perhaps the latter consideration doesn't cause
too much worry, however, as it appears to be in the instructions for
verifying signatures on OS X (https://www.torproject.org/docs/verifying-
signatures.html.en). Manually verifying the SHA checksum, too, however
(which is what Homebrew appears to do), could give a little more
confidence:
shasum -a 256 /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
However, unlike for the SHA 256 sums provided for the browser
(https://www.torproject.org/dist/torbrowser/4.0-alpha-2/sha256sums.txt), I
cannot seem to find a list of these. But then, arguably it's a small
download anyway, so if we don't mind the duplication of the download work:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz | shasum -a
256
This matches the version Homebrew cached, which increases confidence.
By this point, however, we could just as easily warm the source cache for
Homebrew ourselves, which would block installation if the checksum does
not match that expected by Homebrew:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz -o
/Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
This does, of course, require knowledge of which version is about to be
installed, but `brew info tor` suffices for that.
I suppose it comes down to whether I trust Homebrew in its installation,
and whether I trust its embedded checksums to be accurate. For the former,
I probably shouldn't be using it for installations, although admittedly
verifying my Homebrew installation itself is a whole other issue (although
here, too, confidence could be gained by using the knowledge of it being a
Git repository and doing something like `cd $(brew --prefix) && git remote
-v && git pull`, but also presumes the `--prefix` output is accurate,
etc.). If I don't trust its embedded checksums to be accurate, perhaps an
approach balancing concern with usability would be:
brew info tor
# observe stable version
export BREW_TOR_VERSION=0.2.4.23
curl https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz" -o
"/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
curl
"https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz.asc" -o tor-
sig.asc
gpg --verify tor-sig.asc
"/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
# observe good signature, leaving checksum checking to Homebrew, as
we've supplied the source
brew install tor --build-from-source
# observe that cache was used and nothing exploded
Although, it might be more convenient to use `brew fetch` for the source.
Perhaps there may be a better way to accomplish this, particularly the
last step. But hopefully, it is better than nothing for the concerned
user.
Peace,
tiredpixel
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13201>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list