[SRU] Tor does not download and install; repeated signature verification failed

Bug #1856895 reported by Jeffrey Walton on 2019-12-18
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
torbrowser-launcher (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Thomas Ward
Focal
Undecided
Thomas Ward

Bug Description

[Impact]

torbrowser-launcher does not have the ability to update to newer Tor. New downloads of updates through it fail to verify due to mismatched developer keys.

[Test Case]

(1) Install torbrowser-launcher.
(2) Attempt to start tor.
(3) Tor will attempt to update and fail with a signature verification error.

[Regression Potential]

Replacing the key to use for verification should have no impact on functionality, but older-signed versions of the tor browser tarball will fail to verify. However, Tor devs are saying to use the new key anyways, so we should replace the key anyways.

[racb] We might have overlooked some case where the old key is still required.

------
------

[Original Bug Description]

I'm working on Ubuntu 18.04 x86_64 (fully patched). I installed Tor using Apt. When I attempt to launch Tor I am in an endless loop of download/verify/verify-failed.

The process at the moment is (1) Try to start Tor. (2) Tor downloads something. (3) Signature verification begins. (4) Signature verification fails. (5) Click "Start" to do it again.

Clicking "Start" from the "signature verify failed" screen takes me back to the download. Ad infinitum.

I have to go to a Windows machine to use Tor. I'd like to get the issue fixed on Ubuntu since it is my main workstation. This issue has been going on since about June 2018. I'm guessing someone does not realize something is broken.

At this point I am willing to accept the bad signature so I can use the Tor browser. I'm ready for the 6 month DoS to end.

Screenshots available at https://superuser.com/q/1511112/173513.

-----

Ubuntu version:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

And Tor package:

$ apt list --installed | grep -w -i tor

tor/bionic,now 0.3.2.10-1 amd64 [installed,automatic]
tor-geoipdb/bionic,bionic,now 0.3.2.10-1 all [installed,automatic]
---
ProblemType: Bug
ApportVersion: 2.20.9-0ubuntu7.9
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 18.04
InstallationDate: Installed on 2019-11-20 (28 days ago)
InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
Package: tor 0.3.2.10-1
PackageArchitecture: amd64
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 5.0.0-37.40~18.04.1-generic 5.0.21
Tags: bionic
Uname: Linux 5.0.0-37-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
_MarkForUpload: True
---
ProblemType: Bug
ApportVersion: 2.20.9-0ubuntu7.9
Architecture: amd64
DistroRelease: Ubuntu 18.04
InstallationDate: Installed on 2019-11-20 (28 days ago)
InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
Package: tor 0.3.2.10-1
PackageArchitecture: amd64
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 5.0.0-37.40~18.04.1-generic 5.0.21
Tags: bionic
Uname: Linux 5.0.0-37-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

_MarkForUpload: True

summary: - Tor does not download and install; repeated verifcation failed
+ Tor does not download and install; repeated signature verification
+ failed

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Please execute the following command only once, as it will automatically gather debugging information, in a terminal:

apport-collect 1856895

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

apport information

tags: added: apport-collected bionic
description: updated

apport information

apport information

description: updated

apport information

@Chris,

I needed to run apport-collect twice. The first time I did not use sudo and there were several permission denied errors. Sorry about the two reports.

On the upside, I was able to duplicate in an Ubuntu 18 VirtualBox VM.

I also noticed Ubuntu Software Center -> Search for Tor, shows a lot of "one star" reviews. It looks like a lot of people are having problems with the way Tor is working on Ubuntu.

Peter Palfrader (weasel) wrote :

Your screenshots don't look like anything the tor package ships.

It looks like torbrowser-launcher, which is at best related but is not the Tor package.

affects: tor (Ubuntu) → torbrowser-launcher (Ubuntu)
AsciiWolf (asciiwolf) wrote :

Same issue on latest torbrowser-launcher on Ubuntu 20.04. The "tor-browser-developers.asc" key has changed (again). Here is a workaround from upstream ticket: https://github.com/micahflee/torbrowser-launcher/issues/485#issuecomment-683723668

tags: added: focal
AsciiWolf (asciiwolf) wrote :

However, this needs to be properly fixed in upstream and in the Debian/Ubuntu package.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in torbrowser-launcher (Ubuntu):
status: New → Confirmed
AsciiWolf (asciiwolf) wrote :

I have also reported this to the Debian package maintainer (<email address hidden>).

AsciiWolf (asciiwolf) wrote :

The Debian package was updated: https://packages.debian.org/sid/torbrowser-launcher

It will hopefully be soon in groovy. I hope that it will also be backported into focal.

AsciiWolf (asciiwolf) wrote :

Ubuntu MOTU Developers seem to be the Ubuntu package maintainer. Subscribing.

AsciiWolf (asciiwolf) wrote :

I am not sure whether the focal update does require a SRU. Feel free to let me know if there is anything I could help with.

AsciiWolf (asciiwolf) wrote :

Patch from Debian that fixes the issue:
https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/72b87f502af0666954d9ae9f51b794d546e1ab6c (+ needs to be added into debian/patches/series)

AsciiWolf (asciiwolf) wrote :

It is already fixed in Groovy.

Thomas Ward (teward) on 2020-09-25
Changed in torbrowser-launcher (Ubuntu):
status: Confirmed → Fix Released
Changed in torbrowser-launcher (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) on 2020-09-28
description: updated
summary: - Tor does not download and install; repeated signature verification
+ [SRU] Tor does not download and install; repeated signature verification
failed
Robie Basak (racb) on 2020-09-29
description: updated

Hello Jeffrey, or anyone else affected,

Accepted torbrowser-launcher into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/torbrowser-launcher/0.3.2-9ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in torbrowser-launcher (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
AsciiWolf (asciiwolf) wrote :

I have tested the provided torbrowser-launcher 0.3.2-9ubuntu1 build from focal-proposed on fully-updated Ubuntu 20.04 system. I am no longer able to reproduce the issue and torbrowser-launcher now works properly.

tags: added: verification-done-focal
removed: verification-needed-focal
Thomas Ward (teward) on 2020-10-06
tags: removed: verification-needed
Jeffrey Walton (noloader) wrote :

Things still do not work on Ubuntu 18.04 x86_64 (fully patched). I still get the prompt to download something, which results in a verification failure.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic

I'm not sure what is broken with the devs and their public keys, but that is the problem that needs to be fixed.

I have not been able to use Tor on Ubuntu for about a year. Instead of making things more secure, you've made them less secure.

Thomas Ward (teward) wrote :

This is not yet fixed in Bionic - as such, patience is required Jeffrey. The status of Bionic is the one you need to watch on this bug. Fixes must land in Focal first.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package torbrowser-launcher - 0.3.2-9ubuntu1

---------------
torbrowser-launcher (0.3.2-9ubuntu1) focal; urgency=medium

  * This is a bug-fix only upload to address several significant bugs
    found in the Tor Browser launcher package.
  * Patches backported from Debian Unstable release and Debian Salsa git
    repository for the package into the Focal package to fix issues.
    The following patches were added in d/patches and added to the quilt
    series file in the stated order:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream developers key. (LP: #1856895)
    - 0030-Use-gpg-instead-of-gpg2.patch: Use /usr/bin/gpg instead of the
      /usr/bin/gpg2 symlink due to gnupg2 transitional package not being
      part of default installations. (LP: #1897306)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)
    - 0032-apparmor-allow-Browser-to-memory-map-libstdc.patch: Allow
      apparmor profile to access and memory map libstdc, due to AppArmor
      default DENY on access causing issues. (LP: #1897302)

 -- Thomas Ward <email address hidden> Sun, 27 Sep 2020 14:34:53 -0400

Changed in torbrowser-launcher (Ubuntu Focal):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for torbrowser-launcher has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Thomas Ward (teward) on 2020-10-12
Changed in torbrowser-launcher (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) wrote :

Hello Jeffrey, or anyone else affected,

Accepted torbrowser-launcher into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/torbrowser-launcher/0.2.9-2ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in torbrowser-launcher (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Rolando Gorgs (rolandogorgs) wrote :

I've tested torbrowser-launcher 0.2.9-2ubuntu1 from bionic-proposed with Ubuntu 18.04 and Linux Mint 19.3 and can confirm that everything is running perfect again. torbrowser-launcher 0.2.9-2ubuntu1 has been able to update Torbrowser to Version 10.0.1. on both machines. All these error messages are gone. :-)

Thanks for fixing this!

One question: Can I just comment out the proposed entry from sources.list and continue using this fixed version of torbrowser-launcher? Will it get updates in the future?

Thomas Ward (teward) on 2020-10-14
tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Brian Murray (brian-murray) wrote :

Yes, if you disable the -proposed entry in your sources.list file you'll have the same version of the package which will then end up in the -updates pocket. Then if there is another SRU of the package, or a security update, than that will be installed as they'll end up in pockets which you have enabled.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package torbrowser-launcher - 0.2.9-2ubuntu1

---------------
torbrowser-launcher (0.2.9-2ubuntu1) bionic; urgency=medium

  * This is a stable release update to address issues with Tor Browser
    install verification.
  * Patches added to d/patches:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream develoeprs key. (LP: #1856895)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)

 -- Thomas Ward <email address hidden> Mon, 12 Oct 2020 09:45:44 -0400

Changed in torbrowser-launcher (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.