Re: [tor-bugs] #13379 [Tor Browser]: Sign our MAR files

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#13379: Sign our MAR files
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mcs
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-security,
  Browser                |  TorBrowserTeam201412,TorBrowserTeam201412R
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 If I sign the .mar files with the key embedded in the second certificate I
 get
 {{{
 ERROR: Error verifying signature.
 ERROR: Not all signatures were verified.
 }}}
 But the update with the full .mar file works and the one with the
 incremental .mar file is broken as described above. I guess these errors
 occur as the verifier is first trying the first key which results in an
 error and then falling back to the second one. I am not sure whether users
 get to see these errors during a "real" update. They might get confused
 and thus it might be better to show errors only if the signature
 verification fails. On the other hand it might be helpful later on when we
 embed more than one signature to log verification failures even if the
 signature verification succeeds (for instance if we have two signatures
 but require only one to succeed). So, maybe we should leave that for now
 as-is?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:45>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs