[tor-bugs] #26045 [Applications/Tor Browser]: Create a new MAR signing key for ESR60
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 13 08:54:43 UTC 2018
#26045: Create a new MAR signing key for ESR60
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: task | Status:
| reopened
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: GeorgKoppen201806, | Actual Points:
TorBrowserTeam201806 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
It seems mcs and brade found the problem: when building the nightly not
the nightly certificates are included into the build but `dep1.der` and
dep2.der`. The code responsible for that is
{{{
if CONFIG['MOZ_UPDATE_CHANNEL'] in ('alpha', 'beta', 'release', 'esr'):
primary_cert.inputs += ['release_primary.der']
secondary_cert.inputs += ['release_secondary.der']
elif CONFIG['MOZ_UPDATE_CHANNEL'] in ('nightly', 'aurora', 'nightly-elm',
'nightly-profiling', 'nightly-oak',
'nightly-ux'):
primary_cert.inputs += ['nightly_aurora_level3_primary.der']
secondary_cert.inputs += ['nightly_aurora_level3_secondary.der']
else:
primary_cert.inputs += ['dep1.der']
secondary_cert.inputs += ['dep2.der']
}}}
and we set the update channel to `default` for nightlies (see the `tor-
browser-build` repo projects/firefox/config). After copying the new certs
over `dep1.der` and `dep2.der` scenario 3c) and 3d) in comment:6 behave as
epxected: in the former nothing happens after the successful signature
verification and in the latter the update works. Thus, we are good with
the new key.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26045#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list