[tor-bugs] #18820 [Applications/Tor Browser]: Integrate code signing into the release process

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Aug 26 00:27:04 UTC 2018 

#18820: Integrate code signing into the release process
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  gk
     Type:  task                                 |         Status:
                                                 |  assigned
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-6.0a5, TorBrowserTeam201702,     |  Actual Points:
  GeorgKoppen201702                              |
Parent ID:  #3893                                |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by traumschule):

 0) From a nerd perspective it would be interesting to find signed
 statements like:
 {{{
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512


 Checking that we are in possession the private key for $keyid.. Succeeded.
 Mounting .dmg image $tb_image_with_version_string.. Succeeded.
 Checking that TorBrowser.app is present.. Succeeded.
 TorBrowser.app has version: $version_string
 TorBrowser.app has sha256 checksum: $sum_tb
 Signing TorBrowser.app.. Succeeded.
 Signature file has sha256 checksum: $sum_tb_sig
 -----BEGIN PGP SIGNATURE-----

 iQGzBAEBCgAdFiEEk1ZN7YVGjZrCkDYFEu59cHERIFYFAluB6mgACgkQEu59cHER
 IFbFywv/Rn9Jz9ZB/do4V/bSa98PaZRfTIthstAxppP+Y0Xnphg0irOe9RTByV7y
 krAbbxzLGuzaHFmtKROBf9BvBBagesbYer6LKdO9MJtFLQBLplzNyjGFRVH9tiiL
 CpIfdyIZuM44ywHz+k1nKqaHIzfGxadzVGWnyhzoB6/CfY5So/hV154vrpHPwZkn
 6fLJRkb3qJ9ayYzXI8eno4UJBG4si5OwMaph+wbGBAJvwmACw8TknQO+l5yz6gTQ
 Ch1adk4L+/DAjZTJ+ltAau39FlihvfqMsuRoa4oMi9EPhzVpnfWVXhoAW2ZOlpq6
 rh4hT3FMFskXvMRzxhc968ICJCbGrN/H62u5vsg2kr5kSI2gi8zHcwnOKRwh7Ie7
 fhCET4WaGpWhbaDpq/ubq9lhprs3CJIn0s0W7XJ5ICAzq7WGqe6x2WGhlhHm3wbR
 0NkfX03M87cddxZNpLGUkK4PVuaMPPaduTxqJtFYFU3FeH+uR52XzROK5tiE20L/
 P071uUkK
 =puUy
 -----END PGP SIGNATURE-----
 }}}
 Then everyone with the necessary skills could download this statement from
 our website and verify it:
 {{{
 $ curl $tbo_url > tb_osx_version_statement.txt
 $ gpg --auto-key-retrieve --verify tb_osx_version_statement.txt
 gpg: Signature made Sun 26 Aug 2018 01:46:48 AM CEST
 gpg:                using RSA key 93564DED85468D9AC290360512EE7D7071112056
 gpg: key 12EE7D7071112056: public key "traumschule
 <traumschuleriebau at riseup.net>" imported
 gpg: Total number processed: 1
 gpg:               imported: 1
 gpg: Good signature from "traumschule <traumschuleriebau at riseup.net>"
 [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the
 owner.
 Primary key fingerprint: 9356 4DED 8546 8D9A C290  3605 12EE 7D70 7111
 2056
 }}}
 and be happy that there is a trustpath for the downloaded file.

 (think yourself the tbo signing key here instead. it would be also good to
 integrate timestamps, to protect against attackers redoing this process
 for older versions.)

 2) From a user perspective only a detach-clearsigned shaX.sum file with
 sums for the .dmg and the signature file is interesting because it is
 automatically processable and supplies useful output:
 {{{
 $ wget $url_to_tba_osx_version.xz; tar xf $tba_osx_version.xz; cd
 tba_osx_version
 $ sha256sum -c sha256.sum
 tb_osx_version.dmg: OK
 tb_osx_version.dmg.asc: OK
 $ gpg --auto-key-retrieve --verify tb_osx_version.dmg.asc
 }}}

 3) From a webadmin's perspective no changes are needed except updating the
 signing page once. This would solve us #9864, #22637, #26539.

 4) The person who signs the file could run the signing script and carry
 the archive over to dist containing:
 - .dmg file
 - signature for .dmg file
 - checksum file for both
 - signature file for checksum file
 {{{
 gpg --clearsign $tb_osx_version_file > $tb_osx_version.dmg.sig
 sha256sum $tb_version_file $tb_version_file.sig >
 tb_osx_version_sha256.sum
 gpg --clearsign tb_osx_version_sha256.sum > tb_osx_version_sha256.sum.sig
 cd ..; tar cJf tb_osx_version.xz tb_osx_version/
 }}}

 5) An archive with these four files present can be considered trustworthy
 and reliably created by the tba signing person.

 Do you see an alternative to this process?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18820#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list