Provide a list sha256's for verified binary downloads from mirrors
While attempting to bump the version in the OSX Homebrew system in the middle of the night I discovered that the list of sha256s provided did not allign with the downloaded DMGs that were on the mirrors: shasum -a 256 TorBrowser-7.0.1-osx64_ar.dmg 96127d410647bc63b592238e7a5473a63c9588a88fbc501cbce93b02e546bf2e TorBrowser-7.0.1-osx64_ar.dmg when on the list it is: 325550bf93c24e302354d4bcf90bda04540c4e8c78c270b735b5598e1dcd988d TorBrowser-7.0.1-osx64_ar.dmg
Since distributing tainted software is of concern particularly on security related matters, I halted the PR and flagged it. Contributors on two other continents checked their mirrors, and we were all getting the same sha256s, but these did not align with the only published list of shas. The only publiclly avaailable sha list is for the signed software (here is v7.0.1): https://dist.torproject.org/torbrowser/7.0.1/sha256sums-unsigned-build.txt
While we acknowledge the utility and use of the PGP *.asc signing, the homebrew (I have no idea what kind of reach we have for Tor products) currently require a sha256 on a downloaded file even if other verification methods are used. Thus to implement PGP verification we would need to do it on top of the sha256 unless we switch TorBrowser to
:latest which we do not want to do for security reasons.
As the tested sha256s are consistent across mirrors a published list of sha256s for known good installers/DMGs is requested; as I was not the only one confused; but rather four homebrew contributors/maintainers.
Needing to wget all of the binaries to verify the sha's presents two problems, one the mirror used could be tainted/compromised; given recent seizures like those in France this is of modest concern. But even in affluent countries like the US highspeed broadband is not evenly distributed; and needing to pull 16 ~62MB DMG's is nearly a gigabyte of data just to verify the sha256s. A
verified sha256 list solves both these problems.