[tor-dev] File verification GUI tool

Nima nima at redteam.io
Mon Sep 23 22:28:54 UTC 2013


Sherief Alaa:
> But this is all an endless chain because lets say I download TBB, then
> download gpg to verify it but then how do I make sure that gpg it self
> wasn't tampered with? (assuming I don't have it installed already.)

Indeed that's an endless chain and turtles all the way down. plus (as
you already mentioned) you also need to install gpg for osx and windows;
Which in windows case there's absolutely no secure way to download pgp
itself.
Poor windows users are screwed by *design*

That being said, I totally support making this process easier. In fact,
I dream a day where TBB could itself (or TorButton perhaps) check and
see if all of it's executable files are identical to the latest version
on repository in a secure way without confusing (or even say noticing)
the average user.

Maybe this can be part of the auto-update project?

But whatever it is, it can't be a simple tiny app.

-- 
Nima
0XC009DB191C92A77B | mrphs

"I disapprove of what you say, but I will defend to the death your right
to say it" --Evelyn Beatrice Hall

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130923/75e6095c/attachment.sig>


More information about the tor-dev mailing list