[tor-bugs] #15539 [Tor bundles/installation]: Removing signature on Tor Browser .exe should result in SHA256 value listed in sha256sums.txt

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 1 13:46:44 UTC 2015


#15539: Removing signature on Tor Browser .exe should result in SHA256 value listed
in sha256sums.txt
------------------------------------------+-----------------
     Reporter:  gk                        |      Owner:  gk
         Type:  defect                    |     Status:  new
     Priority:  normal                    |  Milestone:
    Component:  Tor bundles/installation  |    Version:
   Resolution:                            |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |
------------------------------------------+-----------------

Old description:

> Since #3861 landed we do the authenticode code-signing for Windows Tor
> Browser .exe files. In order to compare these files with the ones we
> built deterministically we need to strip its signature. It turns out that
> this works using e.g. osslsigncode but (surprise!) one does not get the
> same SHA256 sum back.

New description:

 Since #3861 landed we do the authenticode code-signing for Windows Tor
 Browser .exe files. In order to compare these files with the ones we built
 deterministically we need to strip its signature. It turns out that this
 works using e.g. `osslsigncode` but (surprise!) one does not get the same
 SHA256 sum back.

--

Comment (by gk):

 Useful analysis done in #3861:

 "Neither osslsigncode nor disitool get a .exe that matches the original,
 unsigned .exe (which got signed by signtool as a stopgap until we get our
 authenticode signing on Linux going) after I stripped the signature. The
 diff boils down to:
 {{{
 --- /dev/fd/63  2015-03-31 16:45:12.639747705 +0200
 +++ /dev/fd/62  2015-03-31 16:45:12.647747512 +0200
 @@ -11,7 +11,7 @@
  00000a0: 0050 0000 00ac 0100 2743 0000 0010 0000  .P......'C......
  00000b0: 00a0 0000 0000 4000 0010 0000 0002 0000  ...... at .........
  00000c0: 0400 0000 0600 0000 0400 0000 0000 0000  ................
 -00000d0: 0060 0400 0004 0000 41b6 0100 0200 0080  .`......A.......
 +00000d0: 0060 0400 0004 0000 94b6 2202 0200 0080  .`........".....
  00000e0: 0000 2000 0010 0000 0000 1000 0010 0000  .. .............
  00000f0: 0000 0000 1000 0000 0000 0000 0000 0000  ................
  0000100: 0090 0200 0413 0000 00c0 0300 a894 0000  ................
 @@ -2236612,4 +2236612,4 @@
  2220c30: 7d7b 4d5b 0d90 1b6d cff0 0563 5fb0 5f4a  }{M[...m...c_._J
  2220c40: 950a 1208 9218 b015 49a0 05f9 db75 391f  ........I....u9.
  2220c50: 855e 2cec 1272 e4ff ffb1 edbc b0b6 d819  .^,..r..........
 -2220c60: f9                                       .
 +2220c60: f900 0000 0000 0000                      ........
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15539#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list