TBB build does insecure download of source files
A recent post on the Tor blog reminds us, in the wake of the DigiNotar debacle, of the importance of verifying signed files after downloading. So why then does the TBB build process download Tor source files insecurely, then fail to verify the signatures of the files?
See file ~/build-scripts/versions.mk, most recently found in the tor-browser-2.2.32-2-src.tar.gz tarball. First it explicitly ignores the certificate of the originating site ("wget --no-check-certificate") while getting the Tor and Vidalia source. Then it fails to download the signature files and check them against the downloaded source tarball files.
I urge that signed files actually be validated against their signatures in those cases where signatures are available.
Trac:
Username: tmpname0901