[tor-talk] confusion over verification instructions for build verification on Mac OS X
Georg Koppen
gk at torproject.org
Wed Dec 14 14:31:00 UTC 2016
Jonathan Marquardt:
> On Mon, Dec 12, 2016 at 10:48:46AM -0500, Tor-talk wrote:
>> Reading through this:
>> https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification
>>
>> Trying to do this on Mac OS X.
>>
>> `shasum -a 256 <tor browser distro>.dmg` clearly gives me a checksum that doesn't match the one in the "sha256sums-unsigned-build.txt" file. Tried it with 6.0.6 and 6.0.7.
>>
>> From what I understand, if the PGP signature is valid that confirms the package wasn't tampered with.
>>
>> But it is confusing and disturbing to a newbie to try this and get a mismatched checksum. Please modify these instructions so it's clear what this process is and what you have to do to get it to work because it doesn't work "out of the box" for Mac OS X.
>>
>> Thanks--
>> --
>> tor-talk mailing list - tor-talk at lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> I had to ask the guys on the IRC myself. The hashes don't match because they
> were created before Apple does their code signing. Hence the "unsigned-build"
> in the filename. If you want to verify Windows/OS X builds, you can only use
> the individual .asc signatures as described in the paragraphs above.
FWIW: we adapted the website to make it more clear that plain checking
of SHA-256 sums is not giving the expected results on OS X.
That said there are ways to verify Windows binaries just by checking the
signature of the sha256sums file, stripping the installer signature and
doing a SHA-256 sum calculation. They are desribed on the
verifying-signatures-website. We are working on that for OS X as well,
see https://trac.torproject.org/projects/tor/ticket/18925.
Georg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20161214/d0e7b16a/attachment.sig>
More information about the tor-talk
mailing list