[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #13379 [Tor Browser]: Sign our MAR files
#13379: Sign our MAR files
-----------------------------+--------------------------
Reporter: mikeperry | Owner: tbb-team
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: tbb-security
Actual Points: | Parent ID:
Points: |
-----------------------------+--------------------------
Comment (by mcs):
Replying to [comment:5 gk]:
> Given your knowledge of the MAR signing code Mozilla provides do you
think there are general obstacles to extend that to add support for a
verification method relying on more than one key?
I am not sure exactly what you are asking. Mozilla currently supports
embedding zero or more signatures in a MAR file. The signatures are added
using a program named signmar which is really just a more capable variant
of the mar program. signmar requires an NSS certificate database that
contains a private key plus a self-signed certificate.
Then, if you configure the Firefox build with --enable-verify-mar, one or
two certificates are embedded in the updater program and signatures
contained within any MAR file that is downloaded are checked against those
certificates. All signatures must be verified using one or the other cert
or the MAR file will be rejected; that is, if the MAR file contains two
signatures both must be verifiable. And at least one signature must be
present when --enable-verify-mar is turned on.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs