[Pkg-anonymity-tools] A bug in the torbrowser-launcher package.
Alexander N. Kozhushkin
alex.kozhushkin at gmail.com
Mon Feb 20 01:19:57 UTC 2017
Dear maintainers,
There is a bug in the torbrowser-launcher packages in the Debian Stable
and Testing distributions.
Because the Tor project team have added a new subkey, their signing key
has been changed, which affects the ability of the torbrowser-launcher,
using the old key, to verify correctly the authenticity of the
torbrowser for all new versions of the browser.
After the Tor team uploaded version 6.5 of the Tor browser to their
servers, when started, the torbrowser-launcher utility checks for
updates, successfully downloads the newest version of the Tor browser
archive and its GPG signature, but then fails to verify and unpack the
archive, and ends up with a window containing an error message and
prompting the user to try and download the browser again or to abort the
program. The error message runs as follows:
``SIGNATURE VERIFICATION FAILED!
You might be under attack, or there might just be a
networking problem. Click Start try the download again''
It should be noted that I'm not the only one who has had that problem,
see for example the messages from other Debian users:
a complain from Sebastian Niehaus (the Stable distribution) at
http://git.net/ml/general/2017-01/msg28798.html,
and a correspondence between Gregor Zattler (the Testing distribution)
and Micah Lee:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494556.html
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494724.html
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494773.html
As far as I can see the developer of the torbrowser-launcher program,
Micah Lee, has fixed the bug in the new upstream releases, but the issue
still exists in the old releases used by Debian and may keep affecting
many users, with some people thinking that they are really `under attack'.
As to me, I'm running the Stable distribution, and I have managed to
circumvent the problem on my computer by just fetching the new key from
the Tor developers with the gpg utility and then saving the correct key
to the `/usr/share/torbrowser-launcher/tor-browser-developers.asc' file.
After this having been done, the torbrowser-launcher successfully
updated and started the browser.
Thus, if I understand it right, it appears that the bug can be easily
fixed in the old versions of the torbrowser-launcher Debian packages by
just replacing in the archives the incorrect old
`/usr/share/torbrowser-launcher/tor-browser-developers.asc' file with
that containing the new version of the Tor team signing key.
So, please fix the bug as soon as possible!
Sincerely yours,
Alexander N. Kozhushkin.
P.S.
Here is, how I solved the problem on my computer, in detail with comments:
# First, import the Tor Browser team's key (0x4E2C6E8793298290):
alex at calculator:bash$ gpg --keyserver pool.sks-keyservers.net
--recv-keys 0x4E2C6E8793298290
# Next, verify that the fingerprint is correct (compare the output with
that shown on
# the official Tor Project site at
https://www.torproject.org/docs/verifying-signatures.html.en):
alex at calculator:bash$ gpg --fingerprint 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key)
<torbrowser at torproject.org>
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
sub 4096R/C3C07136 2016-08-24 [expires: 2018-08-24]
# Now, save the `Tor Browser Developers' key to the
`tor-browser-developers.asc' file:
alex at calculator:bash$ gpg --output tor-browser-developers.asc --armor
--export "Tor Browser Developers"
# Finally, change the ownership of the file to `root:root' and move it
to the intended
# destination:
alex at calculator:bash$ su root
Password:
root at calculator:bash# chown root:root tor-browser-developers.asc
root at calculator:bash# mv tor-browser-developers.asc
/usr/share/torbrowser-launcher/tor-browser-developers.asc
More information about the Pkg-anonymity-tools
mailing list