How to reproduce tor build using gitian?

Question

Please refer me to the steps to reproduce a tor build using gitian. I have been trying to build the tor browser bundle using steps mentioned at the following link-

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/BuildingWithGitian

But I keep getting errors, and I did not receive a reply from [email protected]

~/tor-browser-build/gitian-builder/inputs ~/tor-browser-build/gitian-builder/inputs object ebcbfd6cdc29372909079d0345185733d47d90d4 type commit tag tor-browser-38.2.0esr-5.0-1-build2 tagger Mike Perry 1439157725 -0700

5.0-build2. gpg: Signature made Sun 09 Aug 2015 06:02:10 PM EDT using RSA key ID D2F1E186 gpg: Good signature from "Mike Perry " gpg: aka "Mike Perry (Regular use key) " gpg: aka "Mike Perry (Regular use key) " gpg:
aka "Mike Perry " gpg: Note: This key has expired! Primary key fingerprint: C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC Subkey fingerprint: CC69 3F6C D7AA 6B8E EC40 EC28 4102 F895 D2F1 E186 error: could not verify the tag 'tor-browser-38.2.0esr-5.0-1-build2' tor-browser: verification of tag tor-browser-38.2.0esr-5.0-1-build2 against /home/tor/tor-browser-build/tor-browser-bundle/gitian/gpg/torbutton.gpg failed!

You should run 'make prep' to ensure your inputs are up to date make: *** [build] Error 1

I ran 'make prep' and then 'make' but I still get the same error.

Edit:

After manually updating the key, but error still not resolved.

tor@tor-VirtualBox:~$ gpg -k
/home/tor/.gnupg/pubring.gpg
----------------------------
pub   8192R/683686CC 2013-09-11
uid                  Mike Perry <[email protected]>
uid                  Mike Perry <[email protected]>
uid                  Mike Perry (Regular use key) <[email protected]>
uid                  Mike Perry (Regular use key) <[email protected]>
sub   4096R/0F129402 2015-09-07 [expires: 2016-09-11]
sub   4096R/ACC0A961 2015-09-07 [expires: 2016-09-11]

tor@tor-VirtualBox:~$ gpg --fingerprint 683686CC
pub   8192R/683686CC 2013-09-11
      Key fingerprint = C963 C21D 6356 4E2B 10BB  335B 2984 6B3C 6836 86CC
uid                  Mike Perry <[email protected]>
uid                  Mike Perry <[email protected]>
uid                  Mike Perry (Regular use key) <[email protected]>
uid                  Mike Perry (Regular use key) <[email protected]>
sub   4096R/0F129402 2015-09-07 [expires: 2016-09-11]
sub   4096R/ACC0A961 2015-09-07 [expires: 2016-09-11]

Answer 1

I doubt you're doing anything wrong. It's failing because you're using an expired gpg key for Mike Perry. It's probably that the script doesn't understand what caused the error, so it asks for make prep.

Appears Mike uses a fixed main key but gives his subkeys and expiration time of 1 year and replaces them. Amusingly this Tor Project pages get it wrong too.

Just download his new key here and gpg --import it. Or simply run :

gpg --keyserver pgp.mit.edu --recv 29846b3c683686cc

After that, running gpg --fingerprint 683686CC should show :

pub   8192R/683686CC 2013-09-11
      Key fingerprint = C963 C21D 6356 4E2B 10BB  335B 2984 6B3C 6836 86CC
uid                  Mike Perry <[email protected]>
uid                  Mike Perry <[email protected]>
uid                  Mike Perry (Regular use key) <[email protected]>
uid                  Mike Perry (Regular use key) <[email protected]>
sub   4096R/0F129402 2015-09-07 [expires: 2016-09-11]
sub   4096R/ACC0A961 2015-09-07 [expires: 2016-09-11]

You'll notice the new keys now expire in 2016.

You can trust this new key really belongs to Mike Perry because it's actually the same base key with the same fingerprint. It's only the subkey's that changed. In fact, there is a good chance Mike does this precisely so that (a) scripts can update his key but (b) if his key is compromised then people cannot use the compromised key for more than 1 year, and (c) he'd keep the main key air gapped probably too.