[tor-bugs] #31296 [- Select a component]: simplify OpenPGP signature verification instructions

Wed Jul 31 03:51:25 UTC 2019

#31296: simplify OpenPGP signature verification instructions
----------------------------------+------------------------
 Reporter:  dkg                   |          Owner:  (none)
     Type:  defect                |         Status:  new
 Priority:  Medium                |      Milestone:
Component:  - Select a component  |        Version:
 Severity:  Normal                |     Resolution:
 Keywords:                        |  Actual Points:
Parent ID:                        |         Points:
 Reviewer:                        |        Sponsor:
----------------------------------+------------------------
Description changed by dkg:

Old description:

> The OpenPGP signature verification instructions at
> https://support.torproject.org/tbb/how-to-verify-signature/ are more
> complicated than they need to be, and more repetitive.  They also are
> confusing!
>
> I'll attach a revised version of the `contents.lr` file, but you can also
> see the changes with more clarity as a series of individual git commits
> on the `pgp-verification` branch of tor's `support` repo at
> https://0xacab.org/dkg/tor-support.
>
> the main changes are:
>
>  * group GnuPG installation instructions in one place
>  * export the tor developer OpenPGP certificate as a "keyring"
>  * use `gpgv` for verification, not raw `gpg`
>  * remove accidentally misleading statements about "assigning a trust
> index" and "exchanging fingerprints"
>  * use fingerprints and not keyids
>  * bake fingerprint verification into the workflow, rather than asking
> humans to compare them manually.
>
> If you disagree with any of these changes

New description:

 The OpenPGP signature verification instructions at
 https://support.torproject.org/tbb/how-to-verify-signature/ are more
 complicated than they need to be, and more repetitive.  They also are
 confusing!

 I'll attach a revised version of the `contents.lr` file, but you can also
 see the changes with more clarity as a series of individual git commits on
 the `pgp-verification` branch of tor's `support` repo at
 https://0xacab.org/dkg/tor-support.

 the main changes are:

  * group GnuPG installation instructions in one place
  * export the tor developer OpenPGP certificate as a "keyring"
  * use `gpgv` for verification, not raw `gpg`
  * remove accidentally misleading statements about "assigning a trust
 index" and "exchanging fingerprints"
  * use fingerprints and not keyids
  * bake fingerprint verification into the workflow, rather than asking
 humans to compare them manually.

 If you disagree with any of these changes, please let me know, and why.
 i'd be happy to reconsider them with good reason.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online