[tor-bugs] #25102 [Applications/Tor Browser]: Add script to sign nightly build mar files, generate update-responses xml and publish the new version
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 3 12:15:34 UTC 2020
#25102: Add script to sign nightly build mar files, generate update-responses xml
and publish the new version
-------------------------------------------------+-------------------------
Reporter: boklm | Owner: boklm
Type: task | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm, tbb-update, | Actual Points: 4.5
TorBrowserTeam202004R |
Parent ID: #18867 | Points: 3.5
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by boklm):
GeKo was asking on IRC why we are hardcoding the version of martools we
are using for signing the mar files, and why we are not just using the
martools from the nightly builds.
The reason to do that is to isolate the signing VM from the build VM. The
nightly setup looks like this:
- the nightly build VM is building the nightly, and makes the builds
available through http on an onion address. The nightly build is using the
git master branch from several components, which means that an attacker
who manages to get root access to the git server would also be able to
access the build VM.
- the signing VM fetches the mar files from the build VM through the onion
address, sign them (using the martools from a stable Tor Browser version),
and upload the signed mars to https://nightlies.tbb.torproject.org/ (using
an ssh key). If we were using the martools from the nightly build, an
attacker who got access to the build VM could get access to the signing VM
too and steal the signing key, and the ssh key to upload malicious mar
files to nightlies.tbb.torproject.org.
So I think it is useful to try to keep the build and signing VMs separate.
Unfortunately this is not enough to avoid the case where an attacker uses
their access to the build VM to produce malicious builds for nightly
users. To mitigate this I think what we can do:
- reinstall the build VM frequently. Keeping build and signing VMs
separate means we don't have to rotate mar signing and ssh keys at the
same time.
- require all commits (or at least the top commit on the master branch) to
be signed
- have a second build VM, and check that the builds are matching before
signing them.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25102#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list