[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #18497 [Tor Browser]: Check that MAR signing is done properly on the files available in the update responses



#18497: Check that MAR signing is done properly on the files available in the
update responses
-----------------------------+-------------------
     Reporter:  boklm        |      Owner:  boklm
         Type:  enhancement  |     Status:  new
     Priority:  Medium       |  Milestone:
    Component:  Tor Browser  |    Version:
     Severity:  Normal       |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |    Sponsor:
-----------------------------+-------------------
 In #18405 we are adding a script to be used during the release process to
 check that the MAR files are properly signed. We could have an other one
 that is doing the same things on the files currently proposed as an
 update. This would allow someone to easily check (maybe as a cron job)
 that the updates currently available are the same as the ones in the
 sha256sums-unsigned-build files.

 In tools/update-responses/check_update_responses_deployement we have a
 script that currently check that the update responses xml provides the
 expected version. I think I could extend it to also download the mar files
 it provides, unsign them and check that they match sha256sums-unsigned-
 build.txt.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18497>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs