[tor-dev] Gitian-based Deterministic Build System for TBB (Need MacOS Help!)

Mike Perry mikeperry at torproject.org
Wed May 15 06:49:57 UTC 2013

Over the past couple weeks I've been redoing the TBB build system to use
Gitian to produce alpha TBBs using Tor Launcher instead of Vidalia. I
have succeeded in producing deterministic, localized builds of TBB for
Linux and Windows.

This means that independent people all over the world can now easily
produce their own bundles for these platforms fresh from sources, and
have their bundles exactly match the bundles the Tor Project releases,
down to the SHA256 hash.

If we leverage this property wisely, it will allow us to defend against
targeted attacks against our bundlers and their build machines, and even
ultimately ensure the integrity of our bundles in the event of key
compromise of the gpg keys used to sign the bundles.

My plan for this is for there to be between 2-3 official signers for
each bundle, where each person produces their build independently, and
signs the (identical) result files.

To further protect against targeted attack, in addition to these 2-3
official signers, we need some people to be "secret verifiers". Ideally
these people would not be publicly affiliated with the Tor Project, but
would still produce their own bundles anyway. If their SHA256 ever fails
to match the signed bundles, that person should anonymously open a trac
ticket (using the cypherpunks account) and attach the bundle files that
differ for analysis. The differing files can be found easily enough with
'diff -r'.

To ensure the existence of these "secret verifiers", I believe that the
official signers should occasionally conspire to conduct "Fire Drills",
where they all agree to alter the bundle in some innocuous way (such as
adding whitespace to a config file or a Firefox JS file), and ensure
that a verifiers anonymously report the verification failure.

In future versions of Tor, we should probably add a consensus field
consisting of a url to a file that lists the current recommended bundle
hashes and versions, along with the current SHA256 of that file, to
anchor the bundle authentication the Tor's current trust root (the 9
dirauth keys).

To try out the new build system, please see the README, and let me know
where the system could use clarification or improvement to make it
easier to use:

The build system has some quirks that are worth mentioning:

1. It requires you run it from either an Ubuntu 12.04 or above host with
KVM support, *or* you run it from an Ubuntu 12.04 or above chroot/VM.
The bundle scripts try to detect your current situation and suggest that
you "export USE_LXC=1" from your shell if you need to, to cause the
system to use LXC instead of KVM (so that you can build from an Ubuntu
VM or on a machine that does not otherwise support KVM).

2. We currently have no MacOS support. To support MacOS, we need to
create cross-compilers for it so that we can produce builds from the
Gitian VMs (which again are Ubuntu). A few people have done this. I have
sent them mail asking for instructions on how to reproduce their
compiler packages:

Unfortunately, at least one of those URLs say that to produce a
cross-compiler, you need access to an OSX SDK. Since I do not have a Mac
that is currently supported by recent OSX SDKs, and since we *really*
want to be sure that the cross-compilers we produce use code from a
fresh known-good SDK install, I won't be doing this. Please let me know
if you'd like to help tackle this problem.

In the meantime, I am going to work on the rest of the "Short Term" TODO
items, and produce official alpha bundles for Linux and Windows, so we
can test Tor Launcher in an official alpha release. Here's the TODO file:

Happy building!

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130514/d8203e95/attachment.pgp>

More information about the tor-dev mailing list