[tor-bugs] #20757 [Applications/Tor Browser]: Failure to verify tbb-windows-installer v3.1.0

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 26 22:45:22 UTC 2017


#20757: Failure to verify tbb-windows-installer v3.1.0
--------------------------------------+--------------------------
 Reporter:  dcf                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-gitian                |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by dcf):

 I think I found the cause. It is not related to gnupg1 versus gnupg2.
 Rather, it is caused by
 [https://github.com/git/git/commit/b624a3e67f498cb41f704c9bd28e7d53076611c8
 this commit] in git, which added `--keyid-format=long` to gpg command
 lines, breaking the format expected by `git-gpg-wrapper`.

 `git-gpg-wrapper` is expecting a command line that looks like
 {{{
 --status-fd=1 --verify /tmp/.git_vtag_tmpkVQwPB -
 }}}
 but instead it is receiving a line that looks like
 {{{
 --status-fd=1 --keyid-format=long --verify /tmp/.git_vtag_tmpkVQwPB -
 }}}
 You can verify it yourself by adding a line `echo "$@" 1>&2` at the top of
 `git-gpg-wrapper`.

 If I hack `git-gpg-wrapper` to adjust the offsets, then tag verification
 finally works again for me.
 {{{
  # an expired key.
  # https://bugs.torproject.org/19737
  set -e
 -if [ $# -eq 4 ] && [ "$1" = '--status-fd=1' ] \
 -        && [ "$2" = '--verify' ]
 +if [ $# -eq 5 ] && [ "$1" = '--status-fd=1' ] \
 +        && [ "$3" = '--verify' ]
  then
 -    gpgv "$1" "$3" "$4" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\]
 GOODSIG /'
 +    gpgv "$1" "$4" "$5" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\]
 GOODSIG /'
      exit ${PIPESTATUS[0]}
  else
      exec gpg "$@"
 }}}

 According to the Debian changelog, the version of git that added `--keyid-
 format=long` was 2.10.0-rc0.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20757#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list