Multiple signature verification

[tildelowengrimm]

When checking signatures on new TBB binaries, require a more complex signature set than just Mike Perry. Perhaps Mike Perry and one of these several others.

[sarciszewski]

Do all of the other Tor developers sign every release?

[micahflee]

The files for the current version 3.6.3, are here: https://www.torproject.org/dist/torbrowser/3.6.3/

There's one file, sha256sums.txt that contains the hashes of all the binaries in that folder. Then there are three signature files, sha256sums.txt-gk.asc, sha256sums.txt-mikeperry.asc, and sha256sums.txt.asc.

After looking into it, sha256sums.txt.asc seems to be Erinn Clark's sig, sha256sums.txt-gk.asc seems to be Georg Koppen's sig, and sha256sums.txt-mikeperry.asc is Mike Perry's sig. For the current release at least they have all signed it.

I think Tor Browser Launcher right now only download's and verifies Mike's signature. So actually, I think for the time being we should remove the other signing keys that aren't being used.

The problem with verifying all signatures is that I'm not confident that all three people will sign every release each time, or that they'll at least do it in a timely manner. I imagine that whoever makes the build signs it first, but it might take a couple days for the other sigs to get up. I think I'd want some assurance for the Tor folks about this before requiring verifying multiple keys.

[micahflee]

With #117 I just removed everyone's keys except Mike Perry's, since in the code that's the only one that's actually getting checked. If we did want to do this it would then make sense to add them back in.

[micahflee]

A new TBB update was just released that broke Tor Browser Launcher (#120). They both added back alphas to RecommendedTBBVersions and also removed the multiple signatures. Versions 3.6.4 and 4.0-alpha-1 are only signed by Erinn Clark's key, and no one else's. For the last couple releases Tor Browser Launcher has only been checking against Mike Perry's key, but he didn't sign this latest release.

So I think that means that this feature request isn't really viable, unless the TBB devs can be 100% consistent with their release sigs.

[leif]

I'm pretty sure that every stable release of TBB 3.x has had at least 3 people signing sha256sums.txt (after building it independently) at the time when I've upgraded to it. 3.6.4 doesn't yet, but it also isn't listed on the Tor downloads page and hasn't been announced on the blog. (It also doesn't update firefox or fix any critical bugs afaict.)

To enjoy the benefit of deterministic builds, I think TBL should probably include all of the keys listed as people who sometimes sign TBB builds (currently there are 5: Mike, Erinn, gk, Nicolas, and Linus) and then require signatures from at least 3 of them (and perhaps that at least 1 of the 3 is Mike or Erinn). In other words, implement what paranoid deterministic-build-aware users have been doing for the last year.

That would break at this moment, since 3.6.4 is listed in the RecommendedTBBVersions file and only has one signature. But, 3.6.3 is also still listed there, so Tor Browser 3.6.3 users aren't seeing an update notification yet, which tells me that TBL users shouldn't need to update yet either.

Should a fresh TBL install also prefer the lowest recommended version? I think the answer is yes, since that is what most non-TBL TBB users will be currently using.

When installing other versions than the default one (assuming TBL exposes an option to do that, which I think it should but couldn't find when I looked just now) the requirement should be lowered to one signature.

In any case, I hope something can be done here, since a lot of work has gone in to making it possible to update Tor Browser and not be vulnerable to a targeted attack using a single compromised key. Eventually TBB will have its own updater that benefits from this, but right now it's probably only a tiny fraction of users who are manually verifying multiple signatures. It would be great if torbrowser-launcher could do it automatically!

[leif]

My prediction has failed - 3.6.4 is announced now: https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released

...and it still only has one signature. I just wrote to tor-dev to ask about this:
https://lists.torproject.org/pipermail/tor-dev/2014-August/007364.html

Also, 3.6.3 is still in RecommendedTBBVersions, since 3.6.4 doesn't have critical security fixes. So, right now, new TBB users are getting 3.6.4, but most existing 3.6.3 users are unaware of the upgrade - which makes the "install lowest-numbered recommended version" logic for TBL I suggested above seem less reasonable.

[micahflee]

As of the last version, the new logic is install highest-numbered recommended version that doesn't include "-alpha-" or "-beta-" in its name. Seems to be working so far.

[micahflee]

Version 3.6.5 was just released and and Tor Browser Launcher was just broken for several hours because Erinn Clark hadn't uploaded her sig yet (#131). But now she has uploaded her sig and the launcher works again.

I think this goes to show the process is fairly brittle already, and should be improved to be less brittle. Also, the sigs don't all appear online at the same time. So how should we solve this?

One option is to try to download all sigs (5 of them, allegedly, although I'm not sure if I've ever noticed more than 3 at a time), and then proceed if any one of them is valid.

A slightly more paranoid approach would be to proceed if any two are valid. That would have prevented this morning's problem.

Right now https://www.torproject.org/dist/torbrowser/3.6.5/ has the files:

• sha256sums.txt-gk.asc (Georg Koppen)
• sha256sums.txt-mikeperry.asc (Mike Perry)
• sha256sums.txt.asc (Erinn Clark)

I don't know what the filenames of the other signers would be, or if they'll remain consistent.

[micahflee]

It looks like the official Tor Browser Developers (signing key) with fingerprint EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 is the only signing key now.