[tor-bugs] #18497 [Tor Browser]: Check that MAR signing is done properly on the files available in the update responses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 7 20:19:32 UTC 2016
#18497: Check that MAR signing is done properly on the files available in the
update responses
-----------------------------+-------------------
Reporter: boklm | Owner: boklm
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
-----------------------------+-------------------
In #18405 we are adding a script to be used during the release process to
check that the MAR files are properly signed. We could have an other one
that is doing the same things on the files currently proposed as an
update. This would allow someone to easily check (maybe as a cron job)
that the updates currently available are the same as the ones in the
sha256sums-unsigned-build files.
In tools/update-responses/check_update_responses_deployement we have a
script that currently check that the update responses xml provides the
expected version. I think I could extend it to also download the mar files
it provides, unsign them and check that they match sha256sums-unsigned-
build.txt.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18497>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list