Tor Installation OS X Step Three
Please find below a copy of a letter I recently wrote to help@rt.torproject.org regarding some thoughts about Tor Installation OS X Step Three, as detailed on the website. As requested, I am submitting it as a ticket. I am marking it as a defect, as some of it at least refers to the possibility of the installation instructions for OS X not being up-to-date (although other parts could be considered as improvements). Please excuse it not being broken up into smaller tickets; I am not sure where any such division would be best. Let's take this as a place to start, and break anything up if it is clear to someone and deemed useful. :)
Peace, tiredpixel
Dear Tor,
On https://www.torproject.org/docs/tor-doc-osx.html.en 'Step Three', it says
Unfortunately, Homebrew does not come with integrated verification for downloads, and anyone could submit a modified Tor! Currently, we don't have good instructions on how to verify the Tor download on Mac OSX. If you think you do, please let us know!
Is this up-to-date? Homebrew contains the ability to checksum both bottles and sources packages, and these appear to be specified in the build recipe for Tor:
https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb
Modifying my local /usr/local/Library/Formula/tor.rb
and purposely corrupting the checksums seemed to yield the desired behaviour (after clearing the caches), with the bottle installation being skipped because of the failed checksum (https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L11), and then the source installation failing because of that failed checksum (https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L6).
Admittedly, this does not make it easy for the user to verify the installation themselves, and requires a large amount of trust in Homebrew. However, presuming the trust in the package manager itself installing from the locally downloaded package, perhaps it is possible for the concerned user to skip the bottle installation and force a source installation (slower, of course, but not massively so) using something like:
brew install tor --build-from-source
Then, observing the output for the location of the cache (which could also be guessed from the version reported in brew info tor
), fetching the signature from the Tor website, and verifying:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz.asc -o tor-sig.asc
gpg --verify tor-sig.asc /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
However, this also requires GPG, of course, which in turn can be installed using Homebrew or GPGTools (binary package), so perhaps this doesn't make the user much more at ease. Perhaps the latter consideration doesn't cause too much worry, however, as it appears to be in the instructions for verifying signatures on OS X (https://www.torproject.org/docs/verifying-signatures.html.en). Manually verifying the SHA checksum, too, however (which is what Homebrew appears to do), could give a little more confidence:
shasum -a 256 /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
However, unlike for the SHA 256 sums provided for the browser (https://www.torproject.org/dist/torbrowser/4.0-alpha-2/sha256sums.txt), I cannot seem to find a list of these. But then, arguably it's a small download anyway, so if we don't mind the duplication of the download work:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz | shasum -a 256
This matches the version Homebrew cached, which increases confidence.
By this point, however, we could just as easily warm the source cache for Homebrew ourselves, which would block installation if the checksum does not match that expected by Homebrew:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz -o /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
This does, of course, require knowledge of which version is about to be installed, but brew info tor
suffices for that.
I suppose it comes down to whether I trust Homebrew in its installation, and whether I trust its embedded checksums to be accurate. For the former, I probably shouldn't be using it for installations, although admittedly verifying my Homebrew installation itself is a whole other issue (although here, too, confidence could be gained by using the knowledge of it being a Git repository and doing something like cd $(brew --prefix) && git remote -v && git pull
, but also presumes the --prefix
output is accurate, etc.). If I don't trust its embedded checksums to be accurate, perhaps an approach balancing concern with usability would be:
brew info tor
# observe stable version
export BREW_TOR_VERSION=0.2.4.23
curl https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz" -o "/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
curl "https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz.asc" -o tor-sig.asc
gpg --verify tor-sig.asc "/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
# observe good signature, leaving checksum checking to Homebrew, as we've supplied the source
brew install tor --build-from-source
# observe that cache was used and nothing exploded
Although, it might be more convenient to use brew fetch
for the source.
Perhaps there may be a better way to accomplish this, particularly the last step. But hopefully, it is better than nothing for the concerned user.
Peace, tiredpixel
Trac:
Username: tiredpixel