[tor-bugs] #18008 [Tor Browser]: Create a new MAR signing key and bake it into Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 19 11:44:09 UTC 2016


#18008: Create a new MAR signing key and bake it into Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  gk
     Type:  enhancement                          |         Status:
 Priority:  Medium                               |  needs_review
Component:  Tor Browser                          |      Milestone:
 Severity:  Normal                               |        Version:
 Keywords:  tbb-security, TorBrowserTeam201601   |     Resolution:
  GeorgKoppen201601R tbb-5.5                     |  Actual Points:
Parent ID:                                       |         Points:
  Sponsor:                                       |
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  new => needs_review
 * keywords:  tbb-security, TorBrowserTeam201601 GeorgKoppen201601 => tbb-
     security, TorBrowserTeam201601 GeorgKoppen201601R tbb-5.5


Comment:

 Okay, the patch is in bug_18008 (https://gitweb.torproject.org/user/gk
 /tor-browser.git/commit/?h=bug_18008). I've tested that using the files
 found in https://people.torproject.org/~gk/testbuilds/18008/.

 The .tar.xz file has the new key baked in, the *en-US.mar file is
 unsigned, the *en-US_oldkey.mar file is signed by the MAR key we want to
 replace and the *en-US_newkey.mar file is signed by the new key. The
 update contains just a NoScript bump from 2.9 to 2.9.0.2.

 I tested this trying to update by extracting the .mar files manually. As
 expected applying the first two MAR files fails but applying the one
 signed with the new key succeeds. After restart the NoScript version is
 bumped to 2.9.0.2.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18008#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list