Re: [tor-bugs] #13379 [Tor Browser]: Sign our MAR files

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#13379: Sign our MAR files
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mcs
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-security,
  Browser                |  TorBrowserTeam201412,TorBrowserTeam201412R
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Replying to [comment:45 gk]:
 > If I sign the .mar files with the key embedded in the second certificate
 I get
 > {{{
 > ERROR: Error verifying signature.
 > ERROR: Not all signatures were verified.
 > }}}
 > But the update with the full .mar file works and the one with the
 incremental .mar file is broken as described above. I guess these errors
 occur as the verifier is first trying the first key which results in an
 error and then falling back to the second one.

 libmar writes those error messages to stderr.  I don't think users will
 see them except at the terminal or if they capture stderr.  Certainly they
 will have to go look for them.  I think we should keep as possibly useful
 diagnostic messages (although "ERROR:" is misleading in this case).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:50>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs