[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #26045 [Applications/Tor Browser]: Create a new MAR signing key for ESR60
#26045: Create a new MAR signing key for ESR60
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: task | Status:
| reopened
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: GeorgKoppen201806, | Actual Points:
TorBrowserTeam201806 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* cc: mcs, brade (added)
Comment:
Okay, I tested quite a bit. Here is the scenarios I covered:
old=BZIP2 new=LZMA
1) Signing old and new MAR file based on latest esr60 tor browser code
with currently used cert
a) used esr60 nightly (just tested old MAR compression)
ERROR: Unknown signature algorithm ID.
ERROR: Unknown signature algorithm ID.
b) used esr52 alpha
i) old worked, updated to esr60 nightly
ii) new did not work, did essentially nothing and gave no errors
2) Signing old and new MAR file based on latest esr60 tor browser code
with new cert
a) esr60 nightly (tested old and new MAR compression)
ERROR: Error verifying signature.
ERROR: Error verifying signature.
b) esr52 nightly (just tested with old MAR compression)
ERROR: Unknown signature algorithm ID 2.
ERROR: Unknown signature algorithm ID 2.
3) Taking the result from 1a)i
a) applying old with nssdb4
ERROR: Unknown signature algorithm ID.
ERROR: Unknown signature algorithm ID.
b) applying new with nssdb4
ERROR: Unknown signature algorithm ID.
ERROR: Unknown signature algorithm ID.
c) applying old with nssdb6
ERROR: Error verifying signature.
ERROR: Error verifying signature.
d) applying new with nssdb6
ERROR: Error verifying signature.
ERROR: Error verifying signature.
Everything looks good except in 3c) and 3d). I had expected that in 3c)
nothing happens and in 3d) the update with the new cert works. I tried to
debug that and came earlier to the conclusion that I need to replace the
nightly certs with the new certs as well for testing purposes. That's
already included.
Now, I wonder what is going on. If I use the new mar-tools and create a
new `nssdb` importing the public part of the new cert into it using
{{{
certutil -A -d nssdb -n marsigner -t,, -i ../../tor-
browser/toolkit/mozapps/update/updater/release_primary.der
}}}
and doing now a verification of the signature of the two MAR files used in
3c) and 3d) the check succeeds. I.e.:
{{{
signmar -d nssdb -n marsigner -v 8.0a10_nssdb6/tor-browser-linux64-tbb-
nightly-new-nightly-cert-unsigned.mar
}}}
returns nothing while importing the second new cert and checking against
that one fails (which is expected as the key behind the first one signed
the MAR files).
So, this makes me feel optimistic. Still, it would be nice to understand
why the update in 3d) failed and why there was a signature verification
error in 3c).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26045#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs