[tor-bugs] #27438 [Applications/Tor Browser]: Android Gradle Build Downloads

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 18 19:55:38 UTC 2018 

#27438: Android Gradle Build Downloads
-------------------------------------------------+-------------------------
 Reporter:  sisbell                              |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-rbm, tbb-mobile,                 |  Actual Points:
  TorBrowserTeam201810R                          |
Parent ID:  #26693                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by boklm):

 * keywords:  tbb-rbm, tbb-mobile, TorBrowserTeam201810 => tbb-rbm, tbb-
     mobile, TorBrowserTeam201810R
 * status:  needs_revision => needs_review


Comment:

 Replying to [comment:17 sisbell]:
 > >> Its a little more complicated but not by much. Basically, it checks
 extensions to see if it has gpg signature for an artifact and if so then
 verifies it with a key from key server. If there is no gpg sig, then it
 looks for a sha2 file and verifies that. If there is no sha2, then it just
 generates one and flags it. (it could go on to check sha1, md5 but I
 didn't implement that). I'm ok either way with script or artc. Would that
 require different scripts for each platform we build on?

 If I understand correctly the sources of artc, a signature made by any key
 that is available on pgp.mit.edu will be accepted, so that does not seem
 very useful as anybody can generate a key and upload it there. A sha file
 that is hosted on the same server as the file we download is also not very
 useful as someone able to modify the file on the server will probably also
 be able to modify the sha file too.

 In branch `bug_27438` I added a script, in an `input_files`, that is
 downloading all the URLs from `gradle-dependencies-list.txt`, check that
 the files are matching the expected sha256sums, and move them to the same
 directory as in their URL:
 https://gitweb.torproject.org/user/boklm/tor-browser-
 build.git/commit/?h=bug_27438&id=ba47a5262a31039ef519b0655cbfe221dcb71b8b

 After running this I'm getting the same content as `maven-
 repo-1.0.tar.gz`. If that looks good to you, you can add the patch to your
 branch.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27438#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list