[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor Distros Repository Problems (serious!)

To: or-talk@xxxxxxxx
Subject: Tor Distros Repository Problems (serious!)
From: wirelesssnowman@xxxxxxxxxxxxx
Date: Mon, 17 Jan 2011 21:24:59 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 17 Jan 2011 22:44:59 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=N1-0105; d=Safe-mail.net; b=k/fEFUAAQXSBZZ+WffD8G3l5mdD3Jyip7abIhI4ki35oHtYwGEPK9BvE0qLC5MQd SBgGlSiN7Whh3LSmpJKyO/Y/ej+GGIvgxbQAPjfDQ2ohaqnhCn5hU8PInHsAaM9u 7JbKUt9F8u4oN/3tyr8jdNijJV/V/yxBIS9JSwaBNG4=;
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Point 1: Binaries (DEBs/RPMs) are NOT correctly signed!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Demonstration of point 1:

Download a current Tor binary (rpm or deb file) from Tor's official repositories. Next, download the RPM-GPG-KEY-torproject.org file. Finally, download the .asc file for the Tor binary version you've downloaded.

Compare these files:

RPM-GPG-KEY-torproject.org *AND* the .asc file from the binary's repo dir

*BOTH* files are *EXACTLY* the *SAME*! They are the public key from the would be signer, but the .asc files are NOT the correctly signed files from the signer's public key. The .asc files are WORTHLESS and gpg issues an error if you try and verify the .asc files:

#gpg: verify signatures failed: Unexpected error

Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in RPM-GPG-KEY-torproject.org !


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Point 2: No checksums available for the binaries!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Demonstration of point 2: Within your web browser, navigate the directory tree for the Tor official binaries. 

Example: http://deb.torproject.org/torproject.org/rpm/(pick a distro)

No md5, sha1, sha256, or better checksums are available for verification!!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Conclusion: PROPERLY SIGN THE BINARIES AND ISSUE CHECKSUM FILES!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

This is a simple task, the public key holder for the binaries should, can, and, if we are to place any trust in the binaries coming from a trusted
source, PROPERLY SIGN THEM and generate checksums for the binaries. This process only takes a few minutes for each release, and when you take in
mind how important this simple process is for each release, it should be MANDATORY a CAPABLE person is staffed to COMPLETE this process EVERY TIME!

I understand how a repository should be used, but consideration must be made for those who download files manually and attempt to verify vs. allowing their package manager to do the work with the repos/files.
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

Prev by Author: Re: Tor uses swap?
Next by Author: Tor Distros Repository Problems (serious!)
Previous by thread: Re: Torservers: Update on move to UK & on the association
Next by thread: Tor Distros Repository Problems (serious!)
Index(es):
- Author
- Thread