Bug 14304: Document stripping of MAR files
Georg Koppen commited on 2015-01-20 13:15:28
Zeige 1 geänderte Dateien mit 22 Einfügungen und 0 Löschungen.
We add a section explaining how to verify that the signed MAR files we ship are essentially the ones our Gitian setup produced.
- docs/en/verifying-signatures.wml b9eeb03e1..84cda7ef5
| ... | ... |
@@ -237,6 +237,28 @@ |
| 237 | 237 |
|
| 238 | 238 |
<hr> |
| 239 | 239 |
|
| 240 |
+ <a id="MARVerification"></a> |
|
| 241 |
+ <h3><a class="anchor" href="#MARVerification"> |
|
| 242 |
+ Verifying MAR files we ship (advanced)</a></h3> |
|
| 243 |
+ <hr> |
|
| 244 |
+ <p>Starting with Tor Browser 4.5a4 we sign our MAR files which helps |
|
| 245 |
+ securing our update process. The downside of this is the need for additional |
|
| 246 |
+ instructions to verify that the MAR files we ship are indeed the ones we |
|
| 247 |
+ produced with our Gitian setup.</p> |
|
| 248 |
+ |
|
| 249 |
+ <p>Assuming the verification happens on a Linux computer one first needs the |
|
| 250 |
+ <tt>mar-tools-linux*.zip</tt> out of the <tt>gitian-builder/inputs</tt> |
|
| 251 |
+ directory to remove the embedded signature(s). The steps to get the unsigned |
|
| 252 |
+ MAR file on a 64 bit Linux are</p> |
|
| 253 |
+ <pre> |
|
| 254 |
+ cd /path/to/MAR/file |
|
| 255 |
+ unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip |
|
| 256 |
+ mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre> |
|
| 257 |
+ <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt> |
|
| 258 |
+ with the one provided in the <tt>sha265sums.txt</tt> or |
|
| 259 |
+ <tt>sha256sums.incremental.txt</tt> as outlined in <a href="#BuildVerification">Verifying |
|
| 260 |
+ sha256sums (advancded)</a> above.</p> |
|
| 261 |
+ |
|
| 240 | 262 |
</div> |
| 241 | 263 |
<!-- END MAINCOL --> |
| 242 | 264 |
<div id = "sidecol"> |
| 243 | 265 |