[tor-dev] File verification GUI tool

isis agora lovecruft isis at torproject.org
Sun Sep 29 09:50:21 UTC 2013

Sherief Alaa transcribed 13K bytes:
> Hi Everyone,
> (moving this email from the support-team ML to tor-dev as Runa suggested.)
> I am starting to work on a small GUI tool for file verification because I
> find guiding users through the verification process on Windows/Mac through
> the command line painful.
> Tools in use:
> - Python 3.3 or 2.7 (still didn't decide yet).
> - PyQT
> - python-gnupg-0.3.5

Hi Sherief,

I'm not sure if you were planning on using the upstream version, or the
python-gnupg that I (re)wrote to fix the arbitrary code exec vulns, but the
one you mention (python-gnupg-0.3.5) is upstream, not mine. Though, granted,
they have fixed some of the vulns in the latest version.

I probably should also point out if you're thinking of using the upstream,
that their "unittests" are run encased in try/except blocks, and thus never
fail even when they should.

Third, the upstream version doesn't handle unicode very well. If you're using
it for file verification of TBB sha256sum files, it shouldn't matter as much,
but if the user tries to verify anything containing non-ascii characters it's
going to quickly become ten times as painful.

> I might also add a log window and a save log button to see what went wrong
> during the verification process.
> Attached is a draft design of how the tool would look like.
> On Mon, Sep 23, 2013 at 7:12 PM, Lunar <lunar at torproject.org> wrote:
> >How do you think users will be able to install such a tool on their
> >system?
> There won't be any installation required It's a single executable.

Neither my version nor upstream's is an implementation of the OpenPGP spec. In
other words, they both expect you to have a GnuPG binary already present on
the system. My version will handle multiple versions of GnuPG, up to builds of
branches 2.0.x. I don't recall what upstream handles, though if I recall
correctly, just GnuPG 1.4.12-14.

So, at bare minimum, you have two executables, if you ship GPG4Win (horribly
out of date, I don't recommend it) and you compile your script and its Python
dependencies into executables. You might want to check on how the APAF folks
are getting along with their work; they intend to create some sort of
cross-platform Python App runner.

> >More importantly, how will they be able to ensure that it's
> >not a tampered version?
> I've thought about that and few things came to mind:
> - Include the executable inside TBB.
> - Host it somewhere and also provide a SHA-256 hash on a website or in a
> file.

Also, copies of the keys which made the signatures.

Hope this helps a bit,

 ♥Ⓐ isis agora lovecruft
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1105 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130929/150ea0a6/attachment.sig>

More information about the tor-dev mailing list