[tor-commits] r26775: {website} Moved verification instructions from the FAQ to verifying-si (website/trunk/docs/en)

Matt Pagan matt at pagan.io
Mon May 12 23:25:52 UTC 2014 

Author: mttp
Date: 2014-05-12 23:25:52 +0000 (Mon, 12 May 2014)
New Revision: 26775

Modified:
   website/trunk/docs/en/faq.wml
   website/trunk/docs/en/verifying-signatures.wml
Log:
Moved verification instructions from the FAQ to verifying-signatures.



Modified: website/trunk/docs/en/faq.wml
===================================================================
--- website/trunk/docs/en/faq.wml	2014-05-12 16:40:43 UTC (rev 26774)
+++ website/trunk/docs/en/faq.wml	2014-05-12 23:25:52 UTC (rev 26775)
@@ -1606,50 +1606,10 @@
     <h3><a class="anchor" href="#VerifyDownload">How do I verify the download
     (sha256sums.txt)?</a></h3>
 
-    <p>You can still verify your Tor Browser download by downloading the
-    signature file (.asc) along with your package and <a
-    href="<page docs/verifying-signatures>">
-    checking the GPG signature</a> as before. We now have an additional
-    verification method that allows you to verify the build as well as
-    the download.</p>
+    <p>Instructions are on the <a 
+    href="<page docs/verifying-signatures#BuildVerification>">verifying 
+    signatures</a> page.</p>
 
-    <ul>
-      <li>Download the Tor Browser package, the sha256sums.txt file, and the
-      sha256sums signature files. They can all be found in the same directory
-      under <a href="https://www.torproject.org/dist/torbrowser/">
-      https://www.torproject.org/dist/torbrowser/</a>, for example in 3.5
-      for TBB 3.5.</li>
-      <li>Retrieve the signers' GPG keys. This can be done from the command
-      line by entering something like
-      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
-      (This will bring you developer Mike Perry's public key. Other
-      developers' key IDs can be found on
-      <a href="<page docs/signing-keys>">this
-      page</a>.)</li>
-      <li>Verify the sha256sums.txt file by executing this command:
-      <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li>
-      <li>You should see a message like "Good signature from <DEVELOPER
-      NAME>". If you don't, there is a problem. Try these steps again.</li>
-      <li>Now you can take the sha256sum of the Tor Browser package. On
-      Windows you can use the <a href="http://md5deep.sourceforge.net/">
-      hashdeep utility</a> and run
-      <pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre>
-      On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.zip</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li>
-      <li>You will see a string of letters and numbers.</li>
-      <li>Open sha256sums.txt in a text editor.</li>
-      <li>Locate the name of the Tor Browser file you downloaded.</li>
-      <li>Compare the string of letters and numbers to the left of your
-      filename with the string of letters and numbers that appeared
-      on your command line. If they match, you've successfully verified the
-      build.</li>
-    </ul>
-
-    <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">
-    Scripts</a> to <a
-    href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate
-    </a> these steps have been written, but to use them you will need to
-    modify them yourself with the latest Tor Browser Bundle filename.</p>
-
     <hr>
     
     <a id="NewIdentityClosingTabs"></a>

Modified: website/trunk/docs/en/verifying-signatures.wml
===================================================================
--- website/trunk/docs/en/verifying-signatures.wml	2014-05-12 16:40:43 UTC (rev 26774)
+++ website/trunk/docs/en/verifying-signatures.wml	2014-05-12 23:25:52 UTC (rev 26775)
@@ -179,6 +179,63 @@
     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
     to learn more about GPG.</p>
 
+    <hr>
+
+    <a id="BuildVerification"></a>
+    <h3><a class="anchor" href="#BuildVerification">
+    Verifying sha256sums (advanced)</a></h3>
+    <hr>
+    <p>Build reproducibility is a <a 
+       href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security 
+       property</a> of Tor Browser Bundle 3.0 and later. Anyone can build the 
+       Tor Browser Bundle on their own machine and produce a binary that is 
+       bit-for-bit identical to the binary we offer on the download page. 
+       Fortunately, it is not necessary for everyone to build the Tor Browser 
+       locally to get this security. Verifying and comparing the signed list 
+       of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a> 
+       will confirm that multiple people have built Tor Browser Bundles 
+       identical to the download.</p>
+
+      <p>The steps below walk through this process:</p>
+
+    <ul>
+      <li>Download the Tor Browser package, the sha256sums.txt file, and the
+      sha256sums signature files. They can all be found in the same directory 
+      under <a href="https://www.torproject.org/dist/torbrowser/">
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.5' 
+      for TBB 3.5.</li>
+      <li>Retrieve the signers' GPG keys. This can be done from the command 
+      line by entering something like 
+      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
+      (This will bring you developer Mike Perry's public key. Other 
+      developers' key IDs can be found on
+      <a href="https://www.torproject.org/docs/signing-keys.html.en">this 
+      page</a>.)</li>
+      <li>Verify the sha256sums.txt file by executing this command:
+      <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li>
+      <li>You should see a message like "Good signature from <DEVELOPER 
+      NAME>". If you don't, there is a problem. Try these steps again.</li>
+      <li>Now you can take the sha256sum of the Tor Browser package. On 
+      Windows you can use the <a href="http://md5deep.sourceforge.net/">
+      hashdeep utility</a> and run
+      <pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre>
+      On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.zip</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li>
+      <li>You will see a string of letters and numbers.</li>
+      <li>Open sha256sums.txt in a text editor.</li>
+      <li>Locate the name of the Tor Browser file you downloaded.</li>
+      <li>Compare the string of letters and numbers to the left of your
+      filename with the string of letters and numbers that appeared 
+      on your command line. If they match, you've successfully verified the 
+      build.</li> 
+    </ul>
+    
+    <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a> 
+    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> 
+    these steps have been written, but to use them you will need to modify 
+    them yourself with the latest Tor Browser Bundle filename.</p>
+    
+    <hr>
+
   </div>
   <!-- END MAINCOL -->
   <div id = "sidecol">

More information about the tor-commits mailing list