[tor-commits] [webwml/master] Update signature verification page
sebastian at torproject.org
sebastian at torproject.org
Tue Jan 12 12:04:10 UTC 2016
commit 181d059fa2448158675736e352c926602320a485
Author: Georg Koppen <gk at torproject.org>
Date: Wed Dec 23 14:28:39 2015 +0000
Update signature verification page
This update fixes bug 17851 by changing all http:// links to gpg related
websites to https:// ones. Furthermore, it incorporates feedback Josef
provided to us with respect to signature and SHA256 sums verification on
OS X. Thirdly, we need to set LD_LIBRARY_PATH to be able to strip MAR
signatures. And, finally, this patch cleans up the GPG output of the Tor
Browser developers signing key.
---
docs/en/verifying-signatures.wml | 41 ++++++++++++++++++--------------------
1 file changed, 19 insertions(+), 22 deletions(-)
diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml
index 8740062..45ffb28 100644
--- a/docs/en/verifying-signatures.wml
+++ b/docs/en/verifying-signatures.wml
@@ -36,7 +36,7 @@
you're talking to the Tor website with https when you're not.</p>
<p>Some software sites list <a
- href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
+ href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
hashes</a> alongside the software on their website, so users can
verify that they downloaded the file without any errors. These
"checksums" help you answer the question "Did I download this file
@@ -60,7 +60,7 @@
<hr>
<p>You need to have GnuPG installed before
you can verify signatures. Download it from <a
- href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
+ href="https://gpg4win.org/download.html">https://gpg4win.org/download.html</a>.</p>
<p>Once it's installed, use GnuPG to import the key that signed your
package. Since GnuPG for Windows is a command-line tool, you will need
to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
@@ -80,7 +80,6 @@
uid Tor Browser Developers (signing key) <torbrowser at torproject.org>
sub 4096R/F65C2036 2014-12-15
sub 4096R/D40814E0 2014-12-15
- sub 4096R/589839A3 2014-12-15
</pre>
<p>To verify the signature of the package you downloaded, you will need
to download the ".asc" file as well. Assuming you downloaded the
@@ -96,8 +95,7 @@
<p>Currently valid subkey fingerprints are:
<pre>
5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036
- BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
- 05FA 4425 3F6C 19A8 B7F5 18D4 2D00 0988 5898 39A3</pre></p>
+ BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0</pre></p>
<p>
Notice that there is a warning because you haven't assigned a trust
index to this person. This means that GnuPG verified that the key made
@@ -110,7 +108,7 @@
<p>You need to have GnuPG installed before you can verify
signatures. If you are using Mac OS X, you can install it from <a
- href="http://www.gpgtools.org/">http://www.gpgtools.org/</a>. If you
+ href="https://www.gpgtools.org/">https://www.gpgtools.org/</a>. If you
are using Linux, then it's probably you already have GnuPG in your
system, as most Linux distributions come with it preinstalled.
</p>
@@ -133,17 +131,14 @@
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key) <torbrowser at torproject.org>
sub 4096R/F65C2036 2014-12-15
- sub 4096R/D40814E0 2014-12-15
- sub 4096R/589839A3 2014-12-15
- </pre>
-
+ sub 4096R/D40814E0 2014-12-15</pre>
<p>To verify the signature of the package you downloaded, you will need
to download the ".asc" file as well. Assuming you downloaded the
- package and its signature to your Desktop, run:</p>
+ package and its signature to your Downloads folder, run:</p>
<strong>For Mac OS X users</strong>:<br />
- <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
-
+ <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>
+
<strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />
<pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
@@ -157,8 +152,7 @@
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290</pre> <p> Currently valid subkey fingerprints are:
<pre>
5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036
- BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
- 05FA 4425 3F6C 19A8 B7F5 18D4 2D00 0988 5898 39A3</pre></p>
+ BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0</pre></p>
<p>
Notice that there is a warning because you haven't assigned a trust
index to this person. This means that GnuPG verified that the key made
@@ -177,7 +171,7 @@
</p>
<p>See <a
- href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
+ href="https://www.gnupg.org/documentation/">https://www.gnupg.org/documentation/</a>
to learn more about GnuPG.</p>
<hr>
@@ -204,14 +198,16 @@
file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.
They can all be found in the same directory under
<a href="https://www.torproject.org/dist/torbrowser/">
- https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1'
- for Tor Browser 4.5.1.</li>
+ https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux32>'
+ for Tor Browser <version-torbrowserbundlelinux32>.</li>
+ <li>In case your operating system is adding the .txt extension
+ automatically to the SHA256 sums signature file strip it again by running
+ <pre>mv sha256sums-unsigned-build.txt.asc.txt sha256sums-unsigned-build.txt.asc</pre>
<li>Retrieve the signers' GPG keys. This can be done from the command
line by entering something like
<pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>
(This will bring you the public part of the Tor Browser developers'
- signing key. Other
- developers' key IDs can be found on
+ signing key. Other developers' key IDs can be found on
<a href="<page docs/signing-keys>">this
page</a>.)</li>
<li>Verify the sha256sums-unsigned-build.txt file by executing this
@@ -230,7 +226,7 @@
Windows you can use the <a href="http://md5deep.sourceforge.net/">
hashdeep utility</a> and run
<pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre>
- On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li>
+ On Mac or Linux you can run <pre>shasum -a 256 <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li>
<li>You will see a string of letters and numbers.</li>
<li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li>
<li>Locate the name of the Tor Browser file you downloaded.</li>
@@ -241,7 +237,7 @@
</ul>
<p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a>
- to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>
+ to <a href="https://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>
these steps have been written, but to use them you will need to modify
them yourself with the latest Tor Browser filename.</p>
@@ -263,6 +259,7 @@
<pre>
cd /path/to/MAR/file
unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
+ export LD_LIBRARY_PATH=/path/to/MAR/file/mar-tools
mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
<p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or
More information about the tor-commits
mailing list