[tor-bugs] #31896 [Webpages/Support]: Bad instructions in Support Portal, "How can I verify Tor Browser's signature?", discourage, deter, and prevent users on macOS from verifying the Signature of downloaded Tor Browser packages
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Sep 29 11:27:50 UTC 2019
#31896: Bad instructions in Support Portal, "How can I verify Tor Browser's
signature?", discourage, deter, and prevent users on macOS from verifying
the Signature of downloaded Tor Browser packages
-------------------------------------------------+-------------------------
Reporter: monmire | Owner: hiro
Type: defect | Status: new
Priority: High | Component:
| Webpages/Support
Version: | Severity: Normal
Keywords: Support Portal bad instructions | Actual Points:
increase chance of users on macOS receiving a |
Tor Browser package containing corrupted |
files and/or malware - issue |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Platform: Tor Browser 8.5.5 on macOS Mojave 10.14.6
Users on macOS who rely solely on and adhere to the crucial Support Portal
instructions currently appearing in [https://support.torproject.org/tbb
/how-to-verify-signature/ How can I verify Tor Browser's signature?] never
will be able to use the Tor Browser Developer's signing key to verify the
Signature of a downloaded Tor Browser package.
"How can I verify Tor Browser's signature?" instructions contain
misinformed, inaccurate, and incomplete instructions for users on macOS
needing to use the Tor Developer's Signing key (".asc" file) to verify the
Signature of a downloaded Tor Browser package (".dmg" file).
The crucial "How can I verify Tor Browser's signature?" instructions for
users on Windows and GNU/Linux to verify the Signature of a downloaded Tor
Browser package DO NOT WORK for users on macOS.
The current "How can I verify Tor Browser's signature?" documentation
instructs users on macOS, Windows, and GNU/Linux, to enter a command with
`gpgv --keyring ./tor.keyring` in the command line, and the command looks
something like the following command to verify the Signature of a
downloaded Tor Browser package, but a command with `gpgv --keyring
./tor.keyring` in the command line DOES NOT WORK for users on macOS:
`gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-8.5.4-osx64_en-
US.dmg{.asc,}`
For users on macOS, the preceding command or other similar command using
`gpgv --keyring ./tor.keyring` in the command line returns the following
message:
`gpgv: keyblock resource './tor.keyring': No such file or directory`
`gpgv: no valid OpenPGP data found.`
`gpgv: the signature could not be verified.`
`Please remember that the signature file (.sig or .asc)`
`should be the first file given on the command line.`
For users on macOS, attempts to verify the Signature of a downloaded Tor
Browser package by using `gpgv --keyring .\tor.keyring` in the command
line will fail.
For users on macOS, the `gpg --verify` command must appear in the command
line for verification of the Signature of a downloaded Tor Browser package
to be successful. The example below assumes the user has downloaded the
Tor Browser package (".dmg") file and the PGP Signature (".asc") file to
the "Downloads" folder.
Users on macOS use the command with the following form, and `gpg --verify`
appears in the command line to verify the Signature of a downloaded Tor
Browser package:
`gpg --verify ~/Downloads/TorBrowser-8.5.5-osx64_en-US.dmg.asc
/Downloads/TorBrowser-8.5.5-osx64_en-US.dmg`
For users on macOS, the `TorBrowser-8.5.5-osx64_en-US.dmg.asc` entry must
precede the `TorBrowser-8.5.5-osx64_en-US.dmg` entry on the command line;
the preceding command successfully verifies the Signature of the
downloaded Tor Browser package by returning the following message:
`gpg: Signature made Tue Sep 3 06:07:30 2019 PDT`
`gpg: using RSA key EB774491D9FF06E2`
`gpg: Good signature from "Tor Browser Developers (signing key)
<torbrowser at torproject.org>"`
"How can I verify Tor Browser's signature?" instructions should be edited
accordingly and should have the additional instructions below necessary
for users on macOS relying solely on "How can I verify Tor Browser's
signature?" instructions to use the Tor Developer's Signing key to verify
the Signature of a downloaded Tor Browser package.
----
In the subsection "Fetching the Tor Developers key" in "How can I verify
Tor Browser's signature?, the content should present something like the
following instructions for the benefit of all users on macOS:
The Tor Browser team signs Tor Browser releases.
Import the Tor Browser Developers signing key
(0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
`gpg --auto-key-locate nodefault,wkd --locate-keys
torbrowser at torproject.org`
After importing the Tor Browser Developers signing key, users can take
the additional step of saving it to a file by entering the following
command:
`gpg --output ./tor.keyring --export
0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290`
On macOS, by default, the preceding export command saves the Tor Browser
Developers key in the following file:
`~/Users/<user name>/tor.keyring`
----
For users on macOS, the subsection "Verifying the signature" in "How can I
verify Tor Browser's signature?" contains misinformed and incomplete
instructions. These instructions should be edited for the benefit of users
on macOS and should include the additional instructions below, crucial
for users on macOS relying solely on "How can I verify Tor Browser's
signature?" instructions to use the Tor Developer's Signing key to verify
the Signature of a downloaded Tor Browser package.
The "Verifying the signature" subsection presently contains the following
information, which confusingly applies the information to users on
Windows, GNU/Linux, and macOS, but in reality the information does not
apply accurately to users on macOS:
Each file on our download page is accompanied by a file with the same
name as the package and the extension ".asc"
The preceding inaccurate information causes confusion for users on macOS
and acts as a deterrent and a stumbling block for users on macOS, thereby
discouraging, thwarting, or preventing users on macOS from using the Tor
Developer's Signing key to verify the Signature of a downloaded Tor
Browser package.
In the subsection "Verifying the signature?" in "How can I verify Tor
Browser's signature?", something that looks like the following content
justifiably merits inclusion in the instructions so that users on macOS
relying solely on "How can I verify Tor Browser's signature?" instructions
can receive the crucial benefit of using the Tor Developer's Signing key
to verify the Signature of a downloaded Tor Browser package:
After a macOS user downloads the Tor Browser package (".dmg" file), the
user downloads the Signature file corresponding with the downloaded Tor
Browser installer package.
For users on macOS, on the Tor Browser
[https://www.torproject.org/download/ Download page], clicking on the
"Sig" or "(sig)" link that corresponds with the downloaded Tor Browser
package will open an additional tab in the Tor Browser window, and the
window content will include only a block of text, which is the PGP
Signature itself.
Users on macOS must save the block of text (the PGP Signature) as an
".asc" file.
In the Tor Browser menu bar, users on macOS select "File > Save Page As",
which will open a Finder-save window.
In the Finder-save window, a file name that looks something like
`TorBrowser-8.5.5-osx64_en-US.dmg.asc`, will self-populate in the space
bar on the right side of "Save As:".
If the name of the self-populated file looks something like
`TorBrowser-8.5.5-osx64_en-US.dmg`, the user must type ".asc" file
extension at the end of the file name to make it look something like
`TorBrowser-8.5.5-osx64_en-US.dmg.asc`.
In the Finder-save window, the user selects a folder to save the
Signature (".asc") file and saves it in the same folder where the
downloaded Tor Browser package (".dmg") file was saved, e.g., in the
"Desktop" folder or the "Downloads" folder.
The user customarily always should save the PGP Signature (".asc") file
in the same folder where the user saved the downloaded Tor Browser
package (".dmg" file).
The downloaded Tor Browser package itself will have a file name that
looks something like `TorBrowser-8.5.5-osx64_en-US.dmg`.
----
The important content below justifiably merits inclusion in the
instructions in the "How can I verify Tor Browser's signature?" section
for users on macOS to use the Tor Developer's Signing key to verify the
Signature of a downloaded Tor Browser package.
For users on macOS who have installed GPGTools and have imported the Tor
Browser Developers key into GPG Keychain, the following instructions allow
users to verify the Signature of each downloaded Tor Browser package
quickly without having to use terminal commands each time the user
downloads a fresh updated or upgraded Tor Browser package (".dmg file) and
its corresponding Signature ("Sig") file:
When the downloaded Tor Browser package (".dmg") file and its
corresponding Signature (".asc") file are saved in the same folder, users
on macOS can double-click on the ".asc" file to open the "Verification
Results" window. A successful verification will display in the
"Verification Results" window a message that looks something like the
following:
`TorBrowser-8.5.5-osx64_en-US.dmg.asc Signed by: Tor Browser Developers
(signing key) <torbrowser at torproject.org> (1107 75B5 D101 FB36 BC6C 911B
EB77 4491 D9FF 06E2) - Ultimate trust`
The term "Ultimate trust" will appear at the end of the preceding message
only if the user on macOS has assigned "Ownertrust: Ultimate" in GPG
Keychain > pub...Tor Browser Developers...4E2C 6E87 9329 8290 > Key
Details > Key.
Before assigning "Ultimate trust", it is crucial for users on macOS to
confirm that the Key Fingerprint and Subkey Fingerprint appearing in the
GPG Keychain window match the corresponding Key Fingerprint and Subkey
Fingerprint appearing in the official Tor Project
[https://2019.www.torproject.org/docs/signing-keys.html.en list of signing
keys].
----
After the "How can I verify Tor Browser's signature? instructions are
edited as described, users on macOS who rely solely on "How can I verify
Tor Browser's signature?" documentation will be able to use the Tor
Developer's Signing key to verify the Signature of a downloaded Tor
Browser package, thereby reducing the chances of users on macOS
unknowingly or unwittingly installing Tor Browser packages that might
contain corrupted files and/or malware.
Shouldn't we make it both possible and easier for all users, including
users on macOS, to verify Tor Browser's signature?
In the "How can I verify Tor Browser's signature?" section, can we edit
the instructions as described so users on macOS relying solely on "How can
I verify Tor Browser's signature?" documentation can use the Tor Browser
Developer's signing key to verify the Signature each time a user on macOS
downloads a fresh Tor Browser package.
[https://trac.torproject.org/projects/tor/ticket/31296 #31296 reopened
defect]
[https://trac.torproject.org/projects/tor/ticket/31254 #31254 closed
defect (fixed)]
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31896>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list