This repository has been archived by the owner on Aug 5, 2024. It is now read-only.
forked from cedricwalter/tor-binary
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
16 changed files
with
13 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 0 additions & 1 deletion
1
tor-binary-resources/checksums/TorBrowser-9.0.5-osx64_en-US.dmg.SHA-512
This file was deleted.
Oops, something went wrong.
1 change: 1 addition & 0 deletions
1
tor-binary-resources/checksums/TorBrowser-9.5.3-osx64_en-US.dmg.SHA-512
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 745b7dcb8aff72e4c33f2f175b124eb753eb2f0bd18319b9d9dc87500af370acd80e908cde61bd8fb57ae33c2c9981f7e9eec76c7aa13d819147e7fc07d6726e |
1 change: 0 additions & 1 deletion
1
tor-binary-resources/checksums/tor-browser-linux32-9.0.5_en-US.tar.xz.SHA-512
This file was deleted.
Oops, something went wrong.
1 change: 1 addition & 0 deletions
1
tor-binary-resources/checksums/tor-browser-linux32-9.5.3_en-US.tar.xz.SHA-512
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 8ba731a1f362335d83d3de87b5681e54219a8d59fdfaab66ee05af09b404a685ff1009ae386d5f1a9ee43b6ccfc0adff2e4236d97e3dfa5595fde6f98f669d45 |
1 change: 0 additions & 1 deletion
1
tor-binary-resources/checksums/tor-browser-linux64-9.0.5_en-US.tar.xz.SHA-512
This file was deleted.
Oops, something went wrong.
1 change: 1 addition & 0 deletions
1
tor-binary-resources/checksums/tor-browser-linux64-9.5.3_en-US.tar.xz.SHA-512
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 760673a0b40c905ec2866a030f4de9c33240cb9138e8af38a28d8527899d9477a8afbe436eda0ff72cc125cd8a5db75cb88efdc8027a0db4ee91f3be363eed90 |
1 change: 0 additions & 1 deletion
1
tor-binary-resources/checksums/torbrowser-install-9.0.5_en-US.exe.SHA-512
This file was deleted.
Oops, something went wrong.
1 change: 1 addition & 0 deletions
1
tor-binary-resources/checksums/torbrowser-install-9.5.3_en-US.exe.SHA-512
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 7acf7d70addbcd54b77e8b7684cdb8f24f0a50359cb2aad610fd004340f09207f6d97fabc8b6f7d82d5800510a1dca130958a6cbde67ad6aa48df96269b21d7d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
56b7c8cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was trying to build this locally for a recent tor version (9.5.4 or 10.0) but I realised I need the the corresponding
SHA-512checksums of the tor installers first (your repo has them for tor v9.5.3)Where did you guys get the
SHA-512hashes of the official binaries? I checked the official tor repo and I could only findascsignatures andSHA-256hashes:https://dist.torproject.org/torbrowser/9.5.4/
https://dist.torproject.org/torbrowser/10.0/
Thanks.
cc @chimp1984
56b7c8cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @cd2357,
download it, check the signature, create the hash, commit the hash. Its in the
build.xml.Why did we do this? Because PGP servers got attacked a while ago and some keys got signed waay too often - meaning that downloading the key file takes ages. Given we always publish the binaries on jitpack, this has become an issue - because jitpack downloads the repo, builds the source and then extracts the binaries. Having a timeout of 20min or so, jitpack failed to even download the key that is used to sign the tor binary releases. Hence, I altered the build process that I downloaded the signing key locally (it has been several gigabytes big and took a long time to download and even longer to use - hours) and created the hash sums. Since then, builds on jitpack are fast and reliable, not jiggling around release tags and contacting jitpack support, because the had a bug in their "delete recent build" feature...
I understand that since then, the issue with openpgp servers has been fixed. However, it still occasionally happens that downloading the key and verifying the signature takes very long, so I left it.
56b7c8cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, thanks.
I thought the approach was "download their signed list of hashes, check the signature, commit the hashes". Cause in that case, they only publish the
SHA-256.Not sure what you mean by that, can you elaborate? The key is very small, do you mean the 4 tor-browser binaries needed to extract the platform-specific tor binaries?
Had to reconstruct the process on my own, so I may have missed smth or maybe didn't fully understand the way it's done.
56b7c8cThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The attack rendered live key download and verification of signatures unfeasible. Here is some further reading: https://lists.torproject.org/pipermail/tor-project/2019-June/002377.html
The attack presented itself twofold:
Since jitpack had (has?) a 20min timeout for builds, and the tor binary build did "download tor browser bundle->verify->extract->repack the tor binaries", it timed out frequently. So I changed the build process to do the verification of the tor browser binaries locally. Because of the attack, that took hours. However, it made sure I could derive correct hashes. (There haven't been any sha256 hashes back then, otherwise I would have used them).
Since then, the remnants of the attack have been removed and key services had the vulnerability patched. Now, the key file is again very small and everything should work like a charm. However, since I always had issues with jitpack builds timing out because of key verification (either the download took to long, or the verification, or...) I decided to leave it as is - since the verification chain holds (except if someone spoofs github of course, and if that is the case, we have other problems).
you could have asked.