[bisq-network/bisq] Bump netlayer to use tor binary from tor browser v10.0 (#4604)
cd2357
notifications at github.com
Wed Oct 7 13:35:42 UTC 2020
> the tor browser version is of no interest at all to bisq or the netlayer or the tor-binary project. The only reason to use the tor browser binaries in the first place was that the tor guys released signed versions of these binaries - hence, we have a trusted source of tor binaries.
Yes.
Currently there was no way to check if the tor binaries used in Bisq were the ones extracted from authenticated tor browser binaries, because:
- current tor binaries used in Bisq are extracted from tor-browser 9.5.3 (for which binaries or hashes are not provided anymore on the official website)
- the build process which processed those tor-browsers to extract the tor binaries relied on `SHA-512`, and there are no published `SHA-512` hashes for any official tor binary
Therefore, to establish some sort of proof that our jars are built from binaries from the official tor-browser binaries, I forked `tor-binary` and `netlayer` (links to branches and jitback builds in PR description above), plus modified the process to check the published `SHA-256` hashes.
> That being said, @cd2357 can we trust you that you verified every and all signatures prior to injecting the sha256 sums? did anyone check if cd2357 did?
Don't trust, verify :)
- Published signed hashes: https://dist.torproject.org/torbrowser/10.0/sha256sums-signed-build.txt
- Signature of published signed hashes: https://dist.torproject.org/torbrowser/10.0/sha256sums-signed-build.txt.asc
- Public key for checking the signature: https://support.torproject.org/tbb/how-to-verify-signature/
- Committed `SHA-256` hashes: https://github.com/cd2357/tor-binary/commit/3dbd395e8c5557dee14103ba57f88c8fea155a59
The commited hashes should match the ones from the published hash list, which should match the list signature linked above.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4604#issuecomment-704940079
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201007/ff77a025/attachment.html>
More information about the bisq-github
mailing list