[tor-bugs] #31254 [Webpages/Support]: Tor Support Portal "How can I verify Tor Browser's signature" has inaccurate instructions that can prevent signature verification of Tor Browser
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 31 13:48:19 UTC 2019
#31254: Tor Support Portal "How can I verify Tor Browser's signature" has
inaccurate instructions that can prevent signature verification of Tor
Browser
-------------------------------------------------+-------------------------
Reporter: monmire | Owner: hiro
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Webpages/Support | Version:
Severity: Normal | Resolution:
Keywords: Support Portal instructions can | Actual Points:
prevent signature verification - issue |
Parent ID: #31296 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by dkg):
The text listed above is likely to be failing because of the version
number (`8.0.8`) which is embedded in the string.
The replacement proposed here: (`gpg --verify ~/Downloads/{.asc,}
TorBrowser-8.0.8-osx64_en-US.dmg`) does not make any sense to me. the
shell should expand this to:
{{{
gpg --verify ~/Downloads/.asc ~/Downloads/ TorBrowser-8.0.8-osx64_en-
US.dmg
}}}
But these three arguments to `gpg --verify` don't make any sense. `gpg
--verify` can indeed take more than two arguments (though this is highly
unusual). But it does not make any sense for one of the arguments to be a
directory (`~/Downloads/`), and it's not clear why there should be any
file named `~/Downloads/.asc` at all.
The changes over in #31296 convert the instructions to use `gpgv` but
don't abstract away the version number, so may cause problems in the
future. but i'll follow up over there.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31254#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list