[tor-bugs] #26539 [Webpages/Website]: add checksums to download page; make checksum vs. sig file purpose much clearer
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 27 21:34:20 UTC 2018
#26539: add checksums to download page; make checksum vs. sig file purpose much
clearer
----------------------------------+----------------------------------------
Reporter: cypherpunks | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Webpages/Website | Version:
Severity: Normal | Keywords: gpg, verify gpg signatures
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
----------------------------------+----------------------------------------
Gpg recently failed to verify a Tor Browser download - a first for me.
Since data errors in downloads aren't as common as years ago, I assumed an
error in the *.asc sig file itself, or other issues.
Such as my Linux GPG version not playing well with the version used to
sign Tor Browser.
I wanted to verify checksum of the downloaded TBB, but after a few
searches on TorProject didn't find the checksum, I re-download TBB.
It was faster in the long run, but it's a big package to re-download for
users with limited data plans, when a few byte checksum would suffice to
see if there was a download data error.
I propose that checksum files - or a prominent link, be added to the
download page - not make users hunt them. That's how many well run
projects seem to do it - app packages, sig files & checksums are all
easily found, or have links on the same page.
The statement, "''See our instructions on how to verify package
signatures, which allows you to make sure you've downloaded the file we
intended you to get. Also, note that the Firefox ESR in our bundles is
modified from the default Firefox ESR'' "
should be placed above the packages & sig files, where users are far more
likely to see it.
The wording could be stronger, clearer - why users would want to verify
the TBB / other packages PGP signatures of downloads, EVEN from
TorProject's site (not rely solely on checksums). A brief statement why
verifying signed packages is important & how it's unrelated to using
checksums. If users (of anything) don't understand a real purpose or
need, they're more likely to skip steps.
I could write something to make changes, additions & submit for
consideration, but only if there's interest in making changes to general
security methods to educate users, that work for many products.
* Verification instructions: They're generally good & someone did a lot
of work, but many users unfamiliar w/ PGP / GPG's real purpose & the
procedures may be clueless.
On the Windows verify instructions (maybe Linux, OS X), it's unclear which
signature & which "package" they're verifying.
If they're installing GPG or gpg4win, the instructions should include
steps (or link to clear instructions) to first verify GPG itself (once),
then a separate verification of downloaded Tor products - EVEN from
TorProject's https site.
The statement, "make sure you've downloaded the file we intended you to
get." means little to non-gpg users or slightly familiar. To many, they
downloaded the correct platform package, therefore they "have the file
intended for their OS." As far as they know, they did everything
required.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26539>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list