[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #22612 [Applications/Tor Browser]: Provide a list sha256's for verified binary downloads from mirrors
#22612: Provide a list sha256's for verified binary downloads from mirrors
------------------------------------------+----------------------
Reporter: BenjaminCarr | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords: sha256
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
While attempting to bump the version in the OSX Homebrew system in the
middle of the night I discovered that the list of sha256s provided did not
allign with the downloaded DMGs that were on the mirrors:
shasum -a 256 TorBrowser-7.0.1-osx64_ar.dmg
96127d410647bc63b592238e7a5473a63c9588a88fbc501cbce93b02e546bf2e
TorBrowser-7.0.1-osx64_ar.dmg
when on the list it is:
325550bf93c24e302354d4bcf90bda04540c4e8c78c270b735b5598e1dcd988d
TorBrowser-7.0.1-osx64_ar.dmg
Since distributing tainted software is of concern particularly on security
related matters, I halted the PR and flagged it. Contributors on two other
continents checked their mirrors, and we were all getting the same
sha256s, but these did not align with the only published list of shas. The
only publiclly avaailable sha list is for the signed software (here is
v7.0.1): https://dist.torproject.org/torbrowser/7.0.1/sha256sums-unsigned-
build.txt
While we acknowledge the utility and use of the PGP *.asc signing, the
homebrew (I have no idea what kind of reach we have for Tor products)
currently require a sha256 on a downloaded file even if other verification
methods are used. Thus to implement PGP verification we would need to do
it on top of the sha256 unless we switch TorBrowser to `:latest` which we
do not want to do for security reasons.
As the tested sha256s are consistent across mirrors a published list of
sha256s for known good installers/DMGs is requested; as I was not the only
one confused; but rather four homebrew contributors/maintainers.
Needing to wget all of the binaries to verify the sha's presents two
problems, one the mirror used could be tainted/compromised; given recent
seizures like those in France this is of modest concern. But even in
affluent countries like the US highspeed broadband is not evenly
distributed; and needing to pull 16 ~62MB DMG's is nearly a gigabyte of
data just to verify the sha256s. A `verified` sha256 list solves both
these problems.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22612>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs