[tor-commits] [webwml/master] Update signature verification page

sebastian at torproject.org sebastian at torproject.org
Tue Jan 12 12:04:10 UTC 2016


commit 181d059fa2448158675736e352c926602320a485
Author: Georg Koppen <gk at torproject.org>
Date:   Wed Dec 23 14:28:39 2015 +0000

    Update signature verification page
    
    This update fixes bug 17851 by changing all http:// links to gpg related
    websites to https:// ones. Furthermore, it incorporates feedback Josef
    provided to us with respect to signature and SHA256 sums verification on
    OS X. Thirdly, we need to set LD_LIBRARY_PATH to be able to strip MAR
    signatures. And, finally, this patch cleans up the GPG output of the Tor
    Browser developers signing key.
---
 docs/en/verifying-signatures.wml |   41 ++++++++++++++++++--------------------
 1 file changed, 19 insertions(+), 22 deletions(-)

diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml
index 8740062..45ffb28 100644
--- a/docs/en/verifying-signatures.wml
+++ b/docs/en/verifying-signatures.wml
@@ -36,7 +36,7 @@
     you're talking to the Tor website with https when you're not.</p>
 
     <p>Some software sites list <a
-    href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
+    href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
     hashes</a> alongside the software on their website, so users can
     verify that they downloaded the file without any errors. These
     "checksums" help you answer the question "Did I download this file
@@ -60,7 +60,7 @@
     <hr>
     <p>You need to have GnuPG installed before
     you can verify signatures. Download it from <a
-    href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
+    href="https://gpg4win.org/download.html">https://gpg4win.org/download.html</a>.</p>
     <p>Once it's installed, use GnuPG to import the key that signed your
     package. Since GnuPG for Windows is a command-line tool, you will need
     to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
@@ -80,7 +80,6 @@
     uid                  Tor Browser Developers (signing key) <torbrowser at torproject.org>
     sub   4096R/F65C2036 2014-12-15
     sub   4096R/D40814E0 2014-12-15
-    sub   4096R/589839A3 2014-12-15
 </pre>
     <p>To verify the signature of the package you downloaded, you will need
     to download the ".asc" file as well. Assuming you downloaded the
@@ -96,8 +95,7 @@
     <p>Currently valid subkey fingerprints are:
     <pre>
     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
-    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>
     <p>
     Notice that there is a warning because you haven't assigned a trust
     index to this person. This means that GnuPG verified that the key made
@@ -110,7 +108,7 @@
 
     <p>You need to have GnuPG installed before you can verify
     signatures. If you are using Mac OS X, you can install it from <a
-    href="http://www.gpgtools.org/">http://www.gpgtools.org/</a>. If you
+    href="https://www.gpgtools.org/">https://www.gpgtools.org/</a>. If you
     are using Linux, then it's probably you already have GnuPG in your
     system, as most Linux distributions come with it preinstalled.
     </p>
@@ -133,17 +131,14 @@
           Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     uid                  Tor Browser Developers (signing key) <torbrowser at torproject.org>
     sub   4096R/F65C2036 2014-12-15
-    sub   4096R/D40814E0 2014-12-15
-    sub   4096R/589839A3 2014-12-15
-    </pre>
-
+    sub   4096R/D40814E0 2014-12-15</pre>
     <p>To verify the signature of the package you downloaded, you will need
     to download the ".asc" file as well. Assuming you downloaded the
-    package and its signature to your Desktop, run:</p>
+    package and its signature to your Downloads folder, run:</p>
 
     <strong>For Mac OS X users</strong>:<br />
-    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
-    
+    <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
+
     <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
     <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
 
@@ -157,8 +152,7 @@
     Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290</pre> <p> Currently valid subkey fingerprints are:
     <pre>
     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
-    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>
+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>
     <p>
     Notice that there is a warning because you haven't assigned a trust
     index to this person. This means that GnuPG verified that the key made
@@ -177,7 +171,7 @@
     </p>
 
     <p>See <a
-    href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
+    href="https://www.gnupg.org/documentation/">https://www.gnupg.org/documentation/</a>
     to learn more about GnuPG.</p>
 
     <hr>
@@ -204,14 +198,16 @@
       file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.
       They can all be found in the same directory under
       <a href="https://www.torproject.org/dist/torbrowser/">
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1'
-      for Tor Browser 4.5.1.</li>
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux32>'
+      for Tor Browser <version-torbrowserbundlelinux32>.</li>
+      <li>In case your operating system is adding the .txt extension
+      automatically to the SHA256 sums signature file strip it again by running
+      <pre>mv sha256sums-unsigned-build.txt.asc.txt sha256sums-unsigned-build.txt.asc</pre>
       <li>Retrieve the signers' GPG keys. This can be done from the command
       line by entering something like
       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>
       (This will bring you the public part of the Tor Browser developers'
-       signing key. Other
-      developers' key IDs can be found on
+       signing key. Other developers' key IDs can be found on
       <a href="<page docs/signing-keys>">this
       page</a>.)</li>
       <li>Verify the sha256sums-unsigned-build.txt file by executing this
@@ -230,7 +226,7 @@
       Windows you can use the <a href="http://md5deep.sourceforge.net/">
       hashdeep utility</a> and run
       <pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre>
-      On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li>
+      On Mac or Linux you can run <pre>shasum -a 256 <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li>
       <li>You will see a string of letters and numbers.</li>
       <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li>
       <li>Locate the name of the Tor Browser file you downloaded.</li>
@@ -241,7 +237,7 @@
     </ul>
 
     <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a>
-    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>
+    to <a href="https://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>
     these steps have been written, but to use them you will need to modify
     them yourself with the latest Tor Browser filename.</p>
 
@@ -263,6 +259,7 @@
     <pre>
     cd /path/to/MAR/file
     unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
+    export LD_LIBRARY_PATH=/path/to/MAR/file/mar-tools
     mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
     <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
     with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or



More information about the tor-commits mailing list