Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Tor Browser Developers public key (#481) #482

Closed
wants to merge 1 commit into from
Closed

Update Tor Browser Developers public key (#481) #482

wants to merge 1 commit into from

Conversation

sysrqb
Copy link

@sysrqb sysrqb commented Jul 22, 2020

Closes #481
@sysrqb sysrqb requested a review from micahflee as a code owner July 22, 2020 20:50
@vrask vrask mentioned this pull request Aug 25, 2020
Open
@mobinmob mobinmob mentioned this pull request Sep 6, 2020
Closed
@rogers0
Copy link
Contributor

rogers0 commented Sep 7, 2020

@sysrqb the key file was previously in text armor, but changed to binary by your patch.
I think you should convert it by command:

gpg --enarmor < binary_key.dat > text_key.txt
@rogers0
Copy link
Contributor

rogers0 commented Sep 7, 2020

FYI. I uploaded debian package 0.3.2-12 with the patch:
@kpcyrd
Copy link
Contributor

kpcyrd commented Sep 7, 2020

We've also uploaded this patch to Arch Linux with torbrowser-launcher 0.3.2-3:

archlinux/svntogit-community@70c1188
@anthraxx
Copy link

anthraxx commented Sep 7, 2020

This key is 3 MB in size, it should be reduced to just the key and selfsigs
@eli-schwartz
Copy link 

BIN +3.3 MB (26000%) share/torbrowser-launcher/tor-browser-developers.asc

Do you suppose there's a tiny chance this PR is completely and utterly wrong?

Old file:
https://github.com/micahflee/torbrowser-launcher/blob/275a2b82e3a3ea4027f664ecb7d9472ae4032c25/share/torbrowser-launcher/tor-browser-developers.asc#L1-L210

210 lines (209 sloc) 13.1 KB
file type: PGP public key block Public-Key (old)

New file:

https://github.com/sysrqb/torbrowser-launcher/blob/24811754d600e514ea94cf86f4d225bd9ca05f2a/share/torbrowser-launcher/tor-browser-developers.asc

3.31 MB
file type: PGP/GPG key public ring (v4) created Mon Dec 15 04:54:02 2014 RSA (Encrypt or Sign) 4096 bits MPI=0xd032cf90e5c02c85...

is a non-armored binary (should be .gpg, not .asc) and contains 21310 signatures, most of them poisoned I'm guessing. ;)
@rogers0
Copy link
Contributor

rogers0 commented Sep 8, 2020

@anthraxx @eli-schwartz @kpcyrd

Thanks for your info!
I successfully stripped the key size to around 200KB:

TEMP=temp_gpg
mkdir -p $TEMP
chmod 700 $TEMP
gpg --homedir $TEMP -v --import-filter drop-sig="sig_created_d=2019-06-30" --import new.key
gpg --homedir $TEMP -a --export '4E2C6E8793298290' > share/torbrowser-launcher/tor-browser-developers.asc
rm -rf $TEMP
@eli-schwartz
Copy link

I would actually recommend

gpg --homedir <homedir> --export-options export-minimal --export <keyid>

export-minimal ensures the exported key only contains the latest self-sig and no other web of trust data (for good or ill). And that's all you need if you trust the key out of band due to embedding it in a software distribution, and merely want to use it for verifying a signature against a known keyid.

You should be able to get it down to about 8 KB.
mobinmob added a commit to mobinmob/void-packages that referenced this pull request Sep 8, 2020
@mobinmob
torbrowser-launcher: Add new public gpg for verification
e3a09e2 
 - torproject/torbrowser-launcher#481
 - torproject/torbrowser-launcher#482
@rogers0
Copy link
Contributor

rogers0 commented Sep 8, 2020

@eli-schwartz thanks!

I updated debian package 0.3.2-13, with the patch (with latest update from this thread):
@vrask
Copy link

vrask commented Sep 15, 2020

@sysrqb will you update this PR with @eli-schwartz suggestions?
@AsciiWolf AsciiWolf mentioned this pull request Sep 23, 2020
Closed
@AsciiWolf
Copy link
Collaborator

I agree that the text armor format would definitely be better. @sysrqb Any chance you could update this PR?
@sysrqb
Copy link
Author

sysrqb commented Sep 24, 2020
edited
Loading

@AsciiWolf and @eli-schwartz thanks for the suggested command. We're at 8KB now.

$ gpg2 --armour --export-options export-minimal --export 0x4E2C6E8793298290 > 0x4E2C6E8793298290.asc
$ du -sh 0x4E2C6E8793298290.asc
8.0K	0x4E2C6E8793298290.asc
$ mv 0x4E2C6E8793298290.asc share/torbrowser-launcher/tor-browser-developers.asc
@RimaitosLab RimaitosLab mentioned this pull request Sep 26, 2020
Closed
@AsciiWolf AsciiWolf mentioned this pull request Oct 3, 2020
Closed
@micahflee
Copy link
Collaborator

Fixed in #526
@micahflee micahflee closed this Oct 6, 2020
joebonrichie pushed a commit to solus-packages/torbrowser-launcher that referenced this pull request Aug 15, 2023
@Staudey @JoshStrobl
Add version comparison patch to torbrowser-launcher
7a24bbf 
Summary:
Add version comparison patch to torbrowser-launcher

This adds a patch from [here](torproject/torbrowser-launcher#499) to fix the version comparison on install, which causes issues like [this one](torproject/torbrowser-launcher#498) and [this one](https://discuss.getsol.us/d/1128-how-do-i-install-and-config-the-tor/)
Also updates the signing key patch to only import a 8KB key instead of the previous 4 MB monstrosity, as suggested [here](torproject/torbrowser-launcher#482)

Test Plan: Succesfully download and launch TorBrowser, plus a quick test query in DuckDuckGo

Reviewers: #triage_team, JoshStrobl

Reviewed By: #triage_team, JoshStrobl

Subscribers: JoshStrobl

Differential Revision: https://dev.getsol.us/D9787
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
8 participants
@sysrqb @rogers0 @kpcyrd @anthraxx @eli-schwartz @vrask @AsciiWolf @micahflee