[Bug 1896085] Re: [SRU] Backport patch to update Tor Browser Developers public key into Ubuntu 20.04

AsciiWolf 1896085 at bugs.launchpad.net
Fri Sep 25 15:42:18 UTC 2020 

Here are bug tickets regarding the individual issues/fixes mentioned in previous comment:
ad 1. https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1856895
ad 2. https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1896752
ad 3. https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1897302
ad 4. https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1897306

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1896085

Title:
  [SRU] Backport patch to update Tor Browser Developers public key into
  Ubuntu 20.04

Status in torbrowser-launcher package in Ubuntu:
  Fix Released
Status in torbrowser-launcher source package in Focal:
  In Progress
Status in torbrowser-launcher source package in Groovy:
  Fix Released

Bug description:
  [Impact]
  The torbrowser-launcher package in Ubuntu 20.04 does not work *at all* on new installations (see bug #1856895), because of a Tor Browser Developers public key change (old key is not valid anymore) that causes Tor Browser archive downloaded by torbrowser-launcher when being launched for a first time to fail verification. The included debdiff contains patch with a new key from latest package version (that is in Debian Testing and Ubuntu Groovy) and makes the torbrowser-launcher work again.

  [Test Case]
  1. Use a clean, fully updated Ubuntu 20.04 system where torbrowser-launcher was not previously installed/configured.
  2. Install the "torbrowser-launcher" package.
  3. Run "Tor Browser" from a desktop menu (or "torbrowser-launcher" from terminal).
  4. Wait for the Tor Browser archive to finish downloading, verifying and unpacking.

  [Regression Potential]
  This debdiff adds just the one patch mentioned above. As mentioned, the developer key is used only when torbrowser-launcher is launched for a first time - to verify Tor Browser archive that is downloaded and unpacked (into user's home) by torbrowser-launcher. torbrowser updates are then handled by torbrowser itself, not by torbrowser-launcher. Subsequent Tor Browser updates are handled by Tor Browser itself, not by torbrowser-launcher and work fine even if the developer key shipped with torbrowser-launcher is incorrect. I am not aware of any regression this change could cause.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1896085/+subscriptions

More information about the Ubuntu-sponsors mailing list