Bug 14304: Document stripping of MAR files
Georg Koppen

Georg Koppen commited on 2015-01-20 13:15:28
Zeige 1 geänderte Dateien mit 22 Einfügungen und 0 Löschungen.


We add a section explaining how to verify that the signed MAR files we
ship are essentially the ones our Gitian setup produced.
... ...
@@ -237,6 +237,28 @@
237 237
 
238 238
     <hr>
239 239
 
240
+    <a id="MARVerification"></a>
241
+    <h3><a class="anchor" href="#MARVerification">
242
+    Verifying MAR files we ship (advanced)</a></h3>
243
+    <hr>
244
+    <p>Starting with Tor Browser 4.5a4 we sign our MAR files which helps
245
+    securing our update process. The downside of this is the need for additional
246
+    instructions to verify that the MAR files we ship are indeed the ones we
247
+    produced with our Gitian setup.</p>
248
+
249
+    <p>Assuming the verification happens on a Linux computer one first needs the
250
+    <tt>mar-tools-linux*.zip</tt> out of the <tt>gitian-builder/inputs</tt>
251
+    directory to remove the embedded signature(s). The steps to get the unsigned
252
+    MAR file on a 64 bit Linux are</p>
253
+    <pre>
254
+    cd /path/to/MAR/file
255
+    unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
256
+    mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
257
+    <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
258
+    with the one provided in the <tt>sha265sums.txt</tt> or
259
+    <tt>sha256sums.incremental.txt</tt> as outlined in <a href="#BuildVerification">Verifying
260
+    sha256sums (advancded)</a> above.</p>
261
+
240 262
   </div>
241 263
   <!-- END MAINCOL -->
242 264
   <div id = "sidecol">
243 265