[tor-bugs] #26539 [Webpages/Website]: add checksums to download page; make checksum vs. sig file purpose much clearer

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 27 21:34:20 UTC 2018


#26539: add checksums to download page; make checksum vs. sig file purpose much
clearer
----------------------------------+----------------------------------------
     Reporter:  cypherpunks       |      Owner:  (none)
         Type:  defect            |     Status:  new
     Priority:  Medium            |  Milestone:
    Component:  Webpages/Website  |    Version:
     Severity:  Normal            |   Keywords:  gpg, verify gpg signatures
Actual Points:                    |  Parent ID:
       Points:                    |   Reviewer:
      Sponsor:                    |
----------------------------------+----------------------------------------
 Gpg recently failed to verify a Tor Browser download - a first for me.
 Since data errors in downloads aren't as common as years ago, I assumed an
 error in the *.asc sig file itself, or other issues.

 Such as my Linux GPG version not playing well with the version used to
 sign Tor Browser.

 I wanted to verify checksum of the downloaded TBB, but after a few
 searches on TorProject didn't find the checksum, I re-download TBB.
 It was faster in the long run, but it's a big package to re-download for
 users with limited data plans, when a few byte checksum would suffice to
 see if there was a download data error.

 I propose that checksum files - or a prominent link, be added to the
 download page - not make users hunt them.  That's how many well run
 projects seem to do it - app packages, sig files & checksums are all
 easily found, or have links on the same page.

 The statement, "''See our instructions on how to verify package
 signatures, which allows you to make sure you've downloaded the file we
 intended you to get. Also, note that the Firefox ESR in our bundles is
 modified from the default Firefox ESR'' "
 should be placed above the packages & sig files, where users are far more
 likely to see it.

 The wording could be stronger, clearer - why users would want to verify
 the TBB / other packages PGP signatures of downloads, EVEN from
 TorProject's site (not rely solely on checksums).  A brief statement why
 verifying signed packages is important & how it's unrelated to using
 checksums.  If users (of anything) don't understand a real purpose or
 need, they're more likely to skip steps.

 I could write something to make changes, additions & submit for
 consideration, but only if there's interest in making changes to general
 security methods to educate users, that work for many products.

 * Verification instructions:  They're generally good & someone did a lot
 of work, but many users unfamiliar w/ PGP / GPG's real purpose & the
 procedures may be clueless.

 On the Windows verify instructions (maybe Linux, OS X), it's unclear which
 signature & which "package" they're verifying.
 If they're installing GPG or gpg4win, the instructions should include
 steps (or link to clear instructions) to first verify GPG itself (once),
 then a separate verification of downloaded Tor products - EVEN from
 TorProject's https site.

 The statement, "make sure you've downloaded the file we intended you to
 get." means little to non-gpg users or slightly familiar.  To many, they
 downloaded the correct platform package, therefore they "have the file
 intended for their OS."  As far as they know, they did everything
 required.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26539>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list