[tor-commits] [webwml/staging] Update advanced verification instructions

sebastian at torproject.org sebastian at torproject.org
Mon Jul 6 01:19:22 UTC 2015


commit 06b5b08c45542895c9dffab19f5c3114e3efb7e3
Author: Georg Koppen <gk at torproject.org>
Date:   Wed May 13 12:20:10 2015 +0000

    Update advanced verification instructions
---
 docs/en/verifying-signatures.wml |   24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml
index 64fc5e3..8740062 100644
--- a/docs/en/verifying-signatures.wml
+++ b/docs/en/verifying-signatures.wml
@@ -200,11 +200,12 @@
       <p>The steps below walk through this process:</p>
 
     <ul>
-      <li>Download the Tor Browser package, the sha256sums.txt file, and the
-      sha256sums signature files. They can all be found in the same directory
-      under <a href="https://www.torproject.org/dist/torbrowser/">
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.6.1'
-      for TBB 3.6.1.</li>
+      <li>Download the Tor Browser package, the <tt>sha256sums-unsigned-build.txt</tt>
+      file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.
+      They can all be found in the same directory under
+      <a href="https://www.torproject.org/dist/torbrowser/">
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1'
+      for Tor Browser 4.5.1.</li>
       <li>Retrieve the signers' GPG keys. This can be done from the command
       line by entering something like
       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>
@@ -213,8 +214,9 @@
       developers' key IDs can be found on
       <a href="<page docs/signing-keys>">this
       page</a>.)</li>
-      <li>Verify the sha256sums.txt file by executing this command:
-      <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li>
+      <li>Verify the sha256sums-unsigned-build.txt file by executing this
+      command:
+      <pre>gpg --verify sha256sums-unsigned-build.txt.asc sha256sums-unsigned-build.txt</pre></li>
       <li>You should see a message like "Good signature from <DEVELOPER
       NAME>". If you don't, there is a problem. Try these steps again.</li>
       <li>If you want to verify a Windows Tor Browser package you need to first
@@ -230,7 +232,7 @@
       <pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre>
       On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li>
       <li>You will see a string of letters and numbers.</li>
-      <li>Open sha256sums.txt in a text editor.</li>
+      <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li>
       <li>Locate the name of the Tor Browser file you downloaded.</li>
       <li>Compare the string of letters and numbers to the left of your
       filename with the string of letters and numbers that appeared
@@ -263,9 +265,9 @@
     unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
     mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
     <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
-    with the one provided in the <tt>sha265sums.txt</tt> or
-    <tt>sha256sums.incremental.txt</tt> as outlined in <a href="#BuildVerification">Verifying
-    sha256sums (advancded)</a> above.</p>
+    with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or
+    <tt>sha256sums-unsigned-build.incremental.txt</tt> as outlined in
+    <a href="#BuildVerification">Verifying sha256sums (advancded)</a> above.</p>
 
   </div>
   <!-- END MAINCOL -->





More information about the tor-commits mailing list