[tor-bugs] #31296 [Webpages/Support]: simplify OpenPGP signature verification instructions
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 13 23:14:45 UTC 2019
#31296: simplify OpenPGP signature verification instructions
------------------------------+--------------------------
Reporter: dkg | Owner: ggus
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Webpages/Support | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+--------------------------
Changes (by monmire):
* status: closed => reopened
* resolution: fixed =>
Comment:
Platform: Tor Browser 8.5.5 on macOS Mojave version 10.14.6
Instructions in the current Support documentation for macOS users
https://support.torproject.org/tbb/how-to-verify-signature/ causes
attempts to verify the signature to fail.
The examples below assume that the macOS user has downloaded the files to
the "Downloads" folder.
Terminal command
`gpg --verify ~/Downloads/TorBrowser-8.5.5-osx64_en-US.dmg.asc
/Downloads/TorBrowser-8.5.5-osx64_en-US.dmg`
successfully verifies the signature by returning Terminal message
`gpg: Signature made Tue Sep 3 06:07:30 2019 PDT`
`gpg: using RSA key EB774491D9FF06E2`
`gpg: Good signature from "Tor Browser Developers (signing key)
<torbrowser at torproject.org>" [ultimate]`
In the preceding Terminal command, notice that the `TorBrowser-8.5.5
-osx64_en-US.dmg.asc` file entry precedes the `TorBrowser-8.5.5-osx64_en-
US.dmg` file entry.
The current Support documentation instructs macOS users to enter Terminal
command
`gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-8.5.4-osx64_en-
US.dmg{.asc,}`
The preceding Terminal command returns Terminal message
`gpgv: keyblock resource './tor.keyring': No such file or directory`
`gpgv: no valid OpenPGP data found.`
`gpgv: the signature could not be verified.`
`Please remember that the signature file (.sig or .asc)`
`should be the first file given on the command line.`
Apparently, macOS users must use Terminal command `gpg --verify`, and the
`{.asc,}` file must appear before the `{.dmg,}` file in the Terminal
command line before an attempt to verify the signature can be successful.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list