[Pkg-privacy-maintainers] [Pkg-anonymity-tools] A bug in the torbrowser-launcher package.

u u at 451f.org
Mon Feb 20 10:05:00 UTC 2017 

Hi!

(top posting as this is a forward from the old mailing list.)

thank you very much for your report.

(Our new contact address is
pkg-privacy-maintainers at lists.alioth.debian.org by the way.)

I've uploaded a version to experimental yesterday which should fix this
problem: https://tracker.debian.org/pkg/torbrowser-launcher

I'll try to get this package into unstable too, so that everybody can
use this fix.

Cheers!
ulrike

Alexander N. Kozhushkin:
> Dear maintainers,
> 
> There is a bug in the torbrowser-launcher packages in the Debian Stable
> and Testing distributions.
> 
> Because the Tor project team have added a new subkey, their signing key
> has been changed, which affects the ability of the torbrowser-launcher,
> using the old key, to verify correctly the authenticity of the
> torbrowser for all new versions of the browser.
> 
> After the Tor team uploaded version 6.5 of the Tor browser to their
> servers, when started, the torbrowser-launcher utility checks for
> updates, successfully downloads the newest version of the Tor browser
> archive and its GPG signature, but then fails to verify and unpack the
> archive, and ends up with a window containing an error message and
> prompting the user to try and download the browser again or to abort the
> program. The error message runs as follows:
> 
> ``SIGNATURE VERIFICATION FAILED!
> You might be under attack, or there might just be a
> networking problem. Click Start try the download again''
> 
> It should be noted that I'm not the only one who has had that problem,
> see for example the messages from other Debian users:
> a complain from Sebastian Niehaus (the Stable distribution) at
> http://git.net/ml/general/2017-01/msg28798.html,
> and a correspondence between Gregor Zattler (the Testing distribution)
> and Micah Lee:
> https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494556.html
> 
> https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494724.html
> 
> https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494773.html
> 
> 
> As far as I can see the developer of the torbrowser-launcher program,
> Micah Lee, has fixed the bug in the new upstream releases, but the issue
> still exists in the old releases used by Debian and may keep affecting
> many users, with some people thinking that they are really `under attack'.
> 
> As to me, I'm running the Stable distribution, and I have managed to
> circumvent the problem on my computer by just fetching the new key from
> the Tor developers with the gpg utility and then saving the correct key
> to the `/usr/share/torbrowser-launcher/tor-browser-developers.asc' file.
> After this having been done, the torbrowser-launcher successfully
> updated and started the browser.
> 
> Thus, if I understand it right, it appears that the bug can be easily
> fixed in the old versions of the torbrowser-launcher Debian packages by
> just replacing in the archives the incorrect old
> `/usr/share/torbrowser-launcher/tor-browser-developers.asc' file with
> that containing the new version of the Tor team signing key.
> 
> So, please fix the bug as soon as possible!
> 
> Sincerely yours,
>       Alexander N. Kozhushkin.
> 
> P.S.
> 
> Here is, how I solved the problem on my computer, in detail with comments:
> 
> # First, import the Tor Browser team's key (0x4E2C6E8793298290):
> 
> alex at calculator:bash$ gpg --keyserver pool.sks-keyservers.net
> --recv-keys 0x4E2C6E8793298290
> 
> # Next, verify that the fingerprint is correct (compare the output with
> that shown on
> # the official Tor Project site at
> https://www.torproject.org/docs/verifying-signatures.html.en):
> 
> alex at calculator:bash$ gpg --fingerprint 0x4E2C6E8793298290
> pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
>       Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
> uid                  Tor Browser Developers (signing key)
> <torbrowser at torproject.org>
> sub   4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
> sub   4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
> sub   4096R/C3C07136 2016-08-24 [expires: 2018-08-24]
> 
> # Now, save the `Tor Browser Developers' key to the
> `tor-browser-developers.asc' file:
> 
> alex at calculator:bash$ gpg --output tor-browser-developers.asc --armor
> --export "Tor Browser Developers"
> 
> # Finally, change the ownership of the file to `root:root' and move it
> to the intended
> # destination:
> 
> alex at calculator:bash$ su root
> Password:
> root at calculator:bash# chown root:root tor-browser-developers.asc
> root at calculator:bash# mv tor-browser-developers.asc
> /usr/share/torbrowser-launcher/tor-browser-developers.asc
> 
> 
> _______________________________________________
> Pkg-anonymity-tools mailing list
> Pkg-anonymity-tools at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-anonymity-tools

More information about the Pkg-privacy-maintainers mailing list