torproject/webwml
1
0
Fork 0
mirror of https://github.com/torproject/webwml.git synced 2024-12-13 04:56:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
Matt Pagan 2013-11-05 22:20:17 +00:00
parent 8d353a9a98
commit 5f5e8e08ad
1 changed files with 14 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
docs/en/verifying-signatures.wml
View File

@ -48,43 +48,31 @@
<h3>Where do I get the signatures and the keys that made them?</h3>
<hr>
<p>Each file on <a href="<page download/download>">our download
<p>Each file on <a href="/web/20130929222100/https://www.torproject.org/download/download.html.en">our download
page</a> is accompanied by a file with the same name as the
package and the extension ".asc". These .asc files are GPG
signatures. They allow you to verify the file you've downloaded
is exactly the one that we intended you to get. For example,
tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by
tor-browser-<version-torbrowserbundle>_en-US.exe.asc. For a list
of which developer signs which package, see our <a href="<page
docs/signing-keys>">signing keys</a> page.</p>
<img alt="Download the bundle and the signature" src="../../images/download-tbb-sig.jpg" width="746" height="397">
<br />
tor-browser-2.3.25-13_en-US.exe is accompanied by
tor-browser-2.3.25-13_en-US.exe.asc. For a list
of which developer signs which package, see our <a href="/web/20130929222100/https://www.torproject.org/docs/signing-keys.html.en">signing keys</a> page.</p>
<h3>Windows</h3>
<hr>
<p>You need to have GnuPG installed before
you can verify signatures. Download it from <a
href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
href="/web/20130929222100/http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
<p>Once it's installed, use GnuPG to import the key that signed your
package. Since GnuPG for Windows is a command-line tool, you will need
to use <i>cmd.exe</i>.<br></br>
<img alt="cmd.exe" src="../../images/cmd.jpg" width="405" height="512">
to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
you will need to tell Windows the full path to the GnuPG program. If
you installed GnuPG with the default values, the path should be
something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
<p>Erinn Clark signs the Tor Browser Bundles. Import her key
(0x63FEE659) by starting <i>cmd.exe</i> and typing:</p>
<pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>
<p><strong>Note that Windows 8 users may need to type gpg2 rather than gpg.</strong> <br />After importing the key, you can verify that the fingerprint
(0x416F061063FEE659) by starting <i>cmd.exe</i> and typing:</p>
<pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
<p>After importing the key, you can verify that the fingerprint
is correct:</p>
<pre>gpg --fingerprint 0x63FEE659</pre>
<pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x416F061063FEE659</pre>
<p>You should see:</p>
<pre>
pub 2048R/63FEE659 2003-10-16
@ -94,16 +82,11 @@
uid Erinn Clark &lt;erinn@double-helix.org&gt;
sub 2048R/EB399FD7 2003-10-16
</pre>
<p>To verify the signature of the package you downloaded, you will need
to download the ".asc" file as well. Assuming you downloaded the
package and its signature to your Desktop, run:</p>
<pre>cd Desktop</pre>
<pre>gpg --verify tor-browser-&lt VERSION NUMBER &gt_en-US.exe.asc tor-browser-&lt VERSION NUMBER &gt_en-US.exe</pre>
<pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe.asc C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe</pre>
<p>The output should say "Good signature": </p>
<pre>
gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
@ -113,7 +96,6 @@
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
</pre>
<p>
Notice that there is a warning because you haven't assigned a trust
index to this person. This means that GnuPG verified that the key made
@ -121,8 +103,6 @@
to the developer. The best method is to meet the developer in person and
exchange key fingerprints.
</p>
<img alt="Verify the signature" src="../../images/verify-bundle.png" width="769" height="454">
<br />
<h3>Mac OS X</h3>
<hr>