I recently wrote a letter to Tor, containing some thoughts about Tor Installation OS X ‘Step Three’, with regards to the verification of Tor installations on OS X when installed using Homebrew. At their request, I have created a ticket; if you have any thoughts or improvements, please feel free to add your comments there. :)
Dear Tor,
On https://www.torproject.org/docs/tor-doc-osx.html.en ‘Step Three’, it says
Unfortunately, Homebrew does not come with integrated verification for downloads, and anyone could submit a modified Tor! Currently, we don’t have good instructions on how to verify the Tor download on Mac OSX. If you think you do, please let us know!
Is this up-to-date? Homebrew contains the ability to checksum both bottles and sources packages, and these appear to be specified in the build recipe for Tor:
https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb
Modifying my local /usr/local/Library/Formula/tor.rb
and purposely
corrupting the checksums seemed to yield the desired behaviour (after
clearing the caches), with the bottle installation being skipped
because of the failed checksum
(https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L11),
and then the source installation failing because of that failed
checksum
(https://github.com/Homebrew/homebrew/blob/master/Library/Formula/tor.rb#L6).
Admittedly, this does not make it easy for the user to verify the installation themselves, and requires a large amount of trust in Homebrew. However, presuming the trust in the package manager itself installing from the locally downloaded package, perhaps it is possible for the concerned user to skip the bottle installation and force a source installation (slower, of course, but not massively so) using something like:
brew install tor --build-from-source
Then, observing the output for the location of the cache (which could
also be guessed from the version reported in brew info tor
),
fetching the signature from the Tor website, and verifying:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz.asc -o tor-sig.asc
gpg --verify tor-sig.asc /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
However, this also requires GPG, of course, which in turn can be installed using Homebrew or GPGTools (binary package), so perhaps this doesn’t make the user much more at ease. Perhaps the latter consideration doesn’t cause too much worry, however, as it appears to be in the instructions for verifying signatures on OS X (https://www.torproject.org/docs/verifying-signatures.html.en). Manually verifying the SHA checksum, too, however (which is what Homebrew appears to do), could give a little more confidence:
shasum -a 256 /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
However, unlike for the SHA 256 sums provided for the browser (https://www.torproject.org/dist/torbrowser/4.0-alpha-2/sha256sums.txt), I cannot seem to find a list of these. But then, arguably it’s a small download anyway, so if we don’t mind the duplication of the download work:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz | shasum -a 256
This matches the version Homebrew cached, which increases confidence.
By this point, however, we could just as easily warm the source cache for Homebrew ourselves, which would block installation if the checksum does not match that expected by Homebrew:
curl https://www.torproject.org/dist/tor-0.2.4.23.tar.gz -o /Library/Caches/Homebrew/tor-0.2.4.23.tar.gz
This does, of course, require knowledge of which version is about to
be installed, but brew info tor
suffices for that.
I suppose it comes down to whether I trust Homebrew in its
installation, and whether I trust its embedded checksums to be
accurate. For the former, I probably shouldn’t be using it for
installations, although admittedly verifying my Homebrew installation
itself is a whole other issue (although here, too, confidence could be
gained by using the knowledge of it being a Git repository and doing
something like cd $(brew --prefix) && git remote -v && git pull
, but
also presumes the --prefix
output is accurate, etc.). If I don’t
trust its embedded checksums to be accurate, perhaps an approach
balancing concern with usability would be:
brew info tor
# observe stable version
export BREW_TOR_VERSION=0.2.4.23
curl "https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz" -o "/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
curl "https://www.torproject.org/dist/tor-$BREW_TOR_VERSION.tar.gz.asc" -o tor-sig.asc
gpg --verify tor-sig.asc "/Library/Caches/Homebrew/tor-$BREW_TOR_VERSION.tar.gz"
# observe good signature, leaving checksum checking to Homebrew, as we’ve supplied the source
brew install tor --build-from-source
# observe that cache was used and nothing exploded
Although, it might be more convenient to use brew fetch
for the source.
Perhaps there may be a better way to accomplish this, particularly the last step. But hopefully, it is better than nothing for the concerned user.