[Pkg-anonymity-tools] A bug in the torbrowser-launcher package.

Mon Feb 20 01:19:57 UTC 2017

Dear maintainers,

There is a bug in the torbrowser-launcher packages in the Debian Stable 
and Testing distributions.

Because the Tor project team have added a new subkey, their signing key 
has been changed, which affects the ability of the torbrowser-launcher, 
using the old key, to verify correctly the authenticity of the 
torbrowser for all new versions of the browser.

After the Tor team uploaded version 6.5 of the Tor browser to their 
servers, when started, the torbrowser-launcher utility checks for 
updates, successfully downloads the newest version of the Tor browser 
archive and its GPG signature, but then fails to verify and unpack the 
archive, and ends up with a window containing an error message and 
prompting the user to try and download the browser again or to abort the 
program. The error message runs as follows:

``SIGNATURE VERIFICATION FAILED!
You might be under attack, or there might just be a
networking problem. Click Start try the download again''

It should be noted that I'm not the only one who has had that problem, 
see for example the messages from other Debian users:
a complain from Sebastian Niehaus (the Stable distribution) at 
http://git.net/ml/general/2017-01/msg28798.html,
and a correspondence between Gregor Zattler (the Testing distribution) 
and Micah Lee:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494556.html
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494724.html
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1494773.html

As far as I can see the developer of the torbrowser-launcher program, 
Micah Lee, has fixed the bug in the new upstream releases, but the issue 
still exists in the old releases used by Debian and may keep affecting 
many users, with some people thinking that they are really `under attack'.

As to me, I'm running the Stable distribution, and I have managed to 
circumvent the problem on my computer by just fetching the new key from 
the Tor developers with the gpg utility and then saving the correct key 
to the `/usr/share/torbrowser-launcher/tor-browser-developers.asc' file. 
After this having been done, the torbrowser-launcher successfully 
updated and started the browser.

Thus, if I understand it right, it appears that the bug can be easily 
fixed in the old versions of the torbrowser-launcher Debian packages by 
just replacing in the archives the incorrect old 
`/usr/share/torbrowser-launcher/tor-browser-developers.asc' file with 
that containing the new version of the Tor team signing key.

So, please fix the bug as soon as possible!

Sincerely yours,
       Alexander N. Kozhushkin.

P.S.

Here is, how I solved the problem on my computer, in detail with comments:

# First, import the Tor Browser team's key (0x4E2C6E8793298290):

alex at calculator:bash$ gpg --keyserver pool.sks-keyservers.net 
--recv-keys 0x4E2C6E8793298290

# Next, verify that the fingerprint is correct (compare the output with 
that shown on
# the official Tor Project site at 
https://www.torproject.org/docs/verifying-signatures.html.en):

alex at calculator:bash$ gpg --fingerprint 0x4E2C6E8793298290
pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
       Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid                  Tor Browser Developers (signing key) 
<torbrowser at torproject.org>
sub   4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub   4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
sub   4096R/C3C07136 2016-08-24 [expires: 2018-08-24]

# Now, save the `Tor Browser Developers' key to the 
`tor-browser-developers.asc' file:

alex at calculator:bash$ gpg --output tor-browser-developers.asc --armor 
--export "Tor Browser Developers"

# Finally, change the ownership of the file to `root:root' and move it 
to the intended
# destination:

alex at calculator:bash$ su root
Password:
root at calculator:bash# chown root:root tor-browser-developers.asc
root at calculator:bash# mv tor-browser-developers.asc 
/usr/share/torbrowser-launcher/tor-browser-developers.asc