-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically refresh GPG keyring on startup and on signature failures. #272
Conversation
If the keys are changed upstream, how do we establish trust? |
@cfcs That is a good point that I never considered: I was assuming trust on the incoming key-id. I'll reconsider how I handle that situation... or we could drop the My initial thought was: the Tor Project recommends the If there was a dedicated, secure source to always obtain signing keys for Tor, that's what we should be talking to for Is running @micahflee what are your thoughts on this? This would only auto-correct for new sub-keys; still throw errors for entirely new keys, though perhaps that should be our intention. See next commit. Still logic there to later add support for getting new keys from a secure source if one is made available. |
torbrowser_launcher/common.py
Outdated
@@ -205,6 +205,17 @@ def init_gnupg(self): | |||
self.mkdir(self.paths['gnupg_homedir']) | |||
self.import_keys() | |||
|
|||
def refresh_keyring(self, fingerprint=None): | |||
p = subprocess.Popen(['/usr/bin/gpg', '--status-fd', '2', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we wait for this to terminate so that we can check the result?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the key doesn't get refreshed you will just get a verification error again after trying again, so I didn't see a need to actually check the results because I'm not sure what else we would do after, if the refresh failed.
I could have it spit out a message/dialog saying the refresh failed or that it worked, but you already find out when you click "Start Over" on the error prompt and it tries over from scratch (after trying a refresh again).
If you have an idea for what more to do in the event a refresh fails, I'm happy to go back and parse the output of the refresh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You make a good point, I agree that the error handling at this point could get a bit icky.
If you agree with the point about detecting revoked keys, checking the result matters more.
One could also argue that "this is definitely not signed by something we know" is a nicer error message than "maybe you were mitm'ed, but maybe we just failed to contact the key server because the network is shit".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the user in question has the Python GPGME bindings installed, they will get an error message specifically mentioning the fingerprint of the missing key that resulted in the failure. Now we also spit GPG refresh output to the terminal when ran from the command line:
me@me-OEM:~$ ./torbrowser-launcher
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.2.4
https://github.com/micahflee/torbrowser-launcher
Refreshing local keyring...
Keyring refreshed successfully...
New signatures for key: EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
Launching './Browser/start-tor-browser --detach'...
@dephekt Oh, ok! I think your changed patch looks sensible! (but I think it should be doing a forced Here's my take on it:
My conclusion: I skimmed through the GPG man page (which is kind of long), and picked out the following options that we may want to pass:
I'd be happy to discuss my points further if you disagree or have questions, or if I overlooked something :-) Thanks for working on this! |
Agreed: The PR issues a call to refresh_keys upon every start, before a verify is ever attempted.
Agree. It's my opinion that missing, entirely new keys should trigger the failure dialog and require user-intervention/reporting here; which as-is should be what happens (per the commit after your initial comment).
This does already happen:
I will add this to the current PR soon. I will put the CA file in share/torbrowser-launcher/sks-keyservers.netCA.pem. The build process should cause that to install in /usr/share/torbrowser-launcher/sks-keyservers.netCA.pem or wherever the tor-browser-developers.asc file was installed.
@cfcs Is include-revoked applicable during a --refresh-keys operation? This reads to me like it's not, but I don't know for sure so I left it in there for now.
These are also default in my local GPG config (as well as the CA declaration). I will also add these to the arguments. Thanks for the suggestions and catching the initial trust issue. |
@micahflee The commit above introduces a new package dependency for Ubuntu at least. (Edited into the original PR post) |
The GnuPG output I was printing to the terminal is now parsed and returns nicer log messages:
|
This should be good to go now @micahflee. Let me know if you have any questions. |
This looks great, thank you for implementing it! (And sorry about taking so long to review it) |
This PR attempts to automatically resolve situations where Tor Browser signing keys are changed upstream, causing signature verification failures:
The user will still receive the verification failure dialog warning, but the key refresh will have happened then in the background, so clicking "Start Over" on the warning results in a successful verification on the next run. This should be a rare or impossible condition since we already refresh the keyring on startup now, but I supposed it wouldn't hurt.
New Packages Requirements:
Ubuntu/Debian:
gnupg-curl
is required for HKPS fetching to work in GPG during key refresh operations.Fixes:
PR aims to resolve #271 and future issues related to #260, #261, and #263.