[Bug 1896085] Re: [SRU] Backport patch to update Tor Browser Developers public key into Ubuntu 20.04

Fri Sep 25 10:10:28 UTC 2020

Oops, sorry for sending the incomplete comment.

Thomas, thanks again for working on this SRU!

As discussed on IRC, this is what should be included in the SRU:
1. The new Tor Browser developer key patch: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/72b87f502af0666954d9ae9f51b794d546e1ab6c + entry in debian/patches/series
2. The version comparison fix patch: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/fa3115fbf6c2d298b12c1ccee8f679c13682c92c
3. AppArmor rules patch to fix libstdc++ issue: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/87859bce5779f89b37c4e4be334f7e1670b0a9f3
4. Patch to use /usr/bin/gpg instead of /usr/bin/gpg2 (that is just an alias that is not preinstalled on Linux Mint and many Ubuntu flavors) + dependency on gnupg (gnupg package is also missing out-of-box in some Ubuntu flavors): https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/f83349ae954a888a7913ac64c98dbb53a284932f and https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/68908ebd6567fad56642c57d2fb1f75dad6efe4a

Feel free to let me know if you have any issue or question.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1896085

Title:
  [SRU] Backport patch to update Tor Browser Developers public key into
  Ubuntu 20.04

Status in torbrowser-launcher package in Ubuntu:
  Fix Released
Status in torbrowser-launcher source package in Focal:
  In Progress
Status in torbrowser-launcher source package in Groovy:
  Fix Released

Bug description:
  [Impact]
  The torbrowser-launcher package in Ubuntu 20.04 does not work *at all* on new installations (see bug #1856895), because of a Tor Browser Developers public key change (old key is not valid anymore) that causes Tor Browser archive downloaded by torbrowser-launcher when being launched for a first time to fail verification. The included debdiff contains patch with a new key from latest package version (that is in Debian Testing and Ubuntu Groovy) and makes the torbrowser-launcher work again.

  [Test Case]
  1. Use a clean, fully updated Ubuntu 20.04 system where torbrowser-launcher was not previously installed/configured.
  2. Install the "torbrowser-launcher" package.
  3. Run "Tor Browser" from a desktop menu (or "torbrowser-launcher" from terminal).
  4. Wait for the Tor Browser archive to finish downloading, verifying and unpacking.

  [Regression Potential]
  This debdiff adds just the one patch mentioned above. As mentioned, the developer key is used only when torbrowser-launcher is launched for a first time - to verify Tor Browser archive that is downloaded and unpacked (into user's home) by torbrowser-launcher. torbrowser updates are then handled by torbrowser itself, not by torbrowser-launcher. Subsequent Tor Browser updates are handled by Tor Browser itself, not by torbrowser-launcher and work fine even if the developer key shipped with torbrowser-launcher is incorrect. I am not aware of any regression this change could cause.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1896085/+subscriptions