[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] File verification GUI tool



Sherief Alaa transcribed 13K bytes:
> Hi Everyone,
> 
> (moving this email from the support-team ML to tor-dev as Runa suggested.)
> 
> I am starting to work on a small GUI tool for file verification because I
> find guiding users through the verification process on Windows/Mac through
> the command line painful.
> 
> Tools in use:
> - Python 3.3 or 2.7 (still didn't decide yet).
> - PyQT
> - python-gnupg-0.3.5
> 

Hi Sherief,

I'm not sure if you were planning on using the upstream version, or the
python-gnupg that I (re)wrote to fix the arbitrary code exec vulns, but the
one you mention (python-gnupg-0.3.5) is upstream, not mine. Though, granted,
they have fixed some of the vulns in the latest version.

I probably should also point out if you're thinking of using the upstream,
that their "unittests" are run encased in try/except blocks, and thus never
fail even when they should.

Third, the upstream version doesn't handle unicode very well. If you're using
it for file verification of TBB sha256sum files, it shouldn't matter as much,
but if the user tries to verify anything containing non-ascii characters it's
going to quickly become ten times as painful.

> I might also add a log window and a save log button to see what went wrong
> during the verification process.
> 
> Attached is a draft design of how the tool would look like.
> 
> On Mon, Sep 23, 2013 at 7:12 PM, Lunar <lunar@xxxxxxxxxxxxxx> wrote:
> >How do you think users will be able to install such a tool on their
> >system?
> 
> There won't be any installation required It's a single executable.
> 

Neither my version nor upstream's is an implementation of the OpenPGP spec. In
other words, they both expect you to have a GnuPG binary already present on
the system. My version will handle multiple versions of GnuPG, up to builds of
branches 2.0.x. I don't recall what upstream handles, though if I recall
correctly, just GnuPG 1.4.12-14.

So, at bare minimum, you have two executables, if you ship GPG4Win (horribly
out of date, I don't recommend it) and you compile your script and its Python
dependencies into executables. You might want to check on how the APAF folks
are getting along with their work; they intend to create some sort of
cross-platform Python App runner.

> >More importantly, how will they be able to ensure that it's
> >not a tampered version?
> 
> 
> I've thought about that and few things came to mind:
> - Include the executable inside TBB.
> - Host it somewhere and also provide a SHA-256 hash on a website or in a
> file.

Also, copies of the keys which made the signatures.

Hope this helps a bit,

-- 
 ââ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev