mirror of
https://github.com/torproject/webwml.git
synced 2024-12-13 04:56:32 +00:00
193 lines
9.0 KiB
Plaintext
193 lines
9.0 KiB
Plaintext
## translation metadata
|
|
# Revision: $Revision$
|
|
# Translation-Priority: 2-medium
|
|
|
|
#include "head.wmi" TITLE="Tor Project: Verifying Signatures" CHARSET="UTF-8"
|
|
<div id="content" class="clearfix">
|
|
<div id="breadcrumbs">
|
|
<a href="<page index>">Home » </a>
|
|
<a href="<page docs/verifying-signatures>">Verifying Signatures</a>
|
|
</div>
|
|
<div id="maincol">
|
|
<h1>How to verify signatures for packages</h1>
|
|
<hr>
|
|
|
|
<h3>What is a signature and why should I check it?</h3>
|
|
<hr>
|
|
|
|
<p>How do you know that the Tor program you have is really the
|
|
one we made? Many Tor users have very real adversaries who might
|
|
try to give them a fake version of Tor — and it doesn't matter
|
|
how secure and anonymous Tor is if you're not running the real Tor.</p>
|
|
|
|
<p>An attacker could try a variety of attacks to get you to download
|
|
a fake Tor. For example, he could trick you into thinking some other
|
|
website is a great place to download Tor. That's why you should
|
|
always download Tor from <b>https</b>://www.torproject.org/. The
|
|
https part means there's encryption and authentication between your
|
|
browser and the website, making it much harder for the attacker
|
|
to modify your download. But it's not perfect. Some places in the
|
|
world block the Tor website, making users try <a href="<page
|
|
docs/faq>#GetTor">somewhere else</a>. Large
|
|
companies sometimes force employees to use a modified browser,
|
|
so the company can listen in on all their browsing. We've even <a
|
|
href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>
|
|
attackers who have the ability to trick your browser into thinking
|
|
you're talking to the Tor website with https when you're not.</p>
|
|
|
|
<p>Some software sites list <a
|
|
href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
|
|
hashes</a> alongside the software on their website, so users can
|
|
verify that they downloaded the file without any errors. These
|
|
"checksums" help you answer the question "Did I download this file
|
|
correctly from whoever sent it to me?" They do a good job at making
|
|
sure you didn't have any random errors in your download, but they
|
|
don't help you figure out whether you were downloading it from the
|
|
attacker. The better question to answer is: "Is this file that I
|
|
just downloaded the file that Tor intended me to get?"</p>
|
|
|
|
<h3>Where do I get the signatures and the keys that made them?</h3>
|
|
<hr>
|
|
<p>Each file on <a href="<page download/download>">our download
|
|
page</a> is accompanied by a file with the same name as the
|
|
package and the extension ".asc". These .asc files are GPG
|
|
signatures. They allow you to verify the file you've downloaded
|
|
is exactly the one that we intended you to get. For example,
|
|
tor-browser-2.3.25-13_en-US.exe is accompanied by
|
|
tor-browser-2.3.25-13_en-US.exe.asc. For a list
|
|
of which developer signs which package, see our <a href="<page docs/signing-keys>">signing keys</a> page.</p>
|
|
<h3>Windows</h3>
|
|
<hr>
|
|
<p>You need to have GnuPG installed before
|
|
you can verify signatures. Download it from <a
|
|
href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
|
|
<p>Once it's installed, use GnuPG to import the key that signed your
|
|
package. Since GnuPG for Windows is a command-line tool, you will need
|
|
to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
|
|
you will need to tell Windows the full path to the GnuPG program. If
|
|
you installed GnuPG with the default values, the path should be
|
|
something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
|
|
<p>Erinn Clark signs the Tor Browser Bundles. Import her key
|
|
(0x416F061063FEE659) by starting <i>cmd.exe</i> and typing:</p>
|
|
<pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
|
|
<p>After importing the key, you can verify that the fingerprint
|
|
is correct:</p>
|
|
<pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x416F061063FEE659</pre>
|
|
<p>You should see:</p>
|
|
<pre>
|
|
pub 2048R/63FEE659 2003-10-16
|
|
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
|
|
uid Erinn Clark <erinn@torproject.org>
|
|
uid Erinn Clark <erinn@debian.org>
|
|
uid Erinn Clark <erinn@double-helix.org>
|
|
sub 2048R/EB399FD7 2003-10-16
|
|
</pre>
|
|
<p>To verify the signature of the package you downloaded, you will need
|
|
to download the ".asc" file as well. Assuming you downloaded the
|
|
package and its signature to your Desktop, run:</p>
|
|
<pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe.asc C:\Users\Alice\Desktop\tor-browser-2.3.25-13_en-US.exe</pre>
|
|
<p>The output should say "Good signature": </p>
|
|
<pre>
|
|
gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
|
|
gpg: Good signature from "Erinn Clark <erinn@torproject.org>"
|
|
gpg: aka "Erinn Clark <erinn@debian.org>"
|
|
gpg: aka "Erinn Clark <erinn@double-helix.org>"
|
|
gpg: WARNING: This key is not certified with a trusted signature!
|
|
gpg: There is no indication that the signature belongs to the owner.
|
|
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
|
|
</pre>
|
|
<p>
|
|
Notice that there is a warning because you haven't assigned a trust
|
|
index to this person. This means that GnuPG verified that the key made
|
|
that signature, but it's up to you to decide if that key really belongs
|
|
to the developer. The best method is to meet the developer in person and
|
|
exchange key fingerprints.
|
|
</p>
|
|
<h3>Mac OS X</h3>
|
|
<hr>
|
|
|
|
<p>You need to have GnuPG installed before you can verify
|
|
signatures. You can install it from <a
|
|
href="http://www.gpgtools.org/">http://www.gpgtools.org/</a>.
|
|
</p>
|
|
|
|
<p>Once it's installed, use GnuPG to import the key that signed
|
|
your package. Erinn Clark signs the Tor Browser Bundles. Import her
|
|
key (0x416F061063FEE659) by starting the terminal (under "Applications")
|
|
and typing:</p>
|
|
|
|
<pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
|
|
|
|
<p>After importing the key, you can verify that the fingerprint
|
|
is correct:</p>
|
|
|
|
<pre>gpg --fingerprint 0x416F061063FEE659</pre>
|
|
|
|
<p>You should see:</p>
|
|
<pre>
|
|
pub 2048R/63FEE659 2003-10-16
|
|
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
|
|
uid Erinn Clark <erinn@torproject.org>
|
|
uid Erinn Clark <erinn@debian.org>
|
|
uid Erinn Clark <erinn@double-helix.org>
|
|
sub 2048R/EB399FD7 2003-10-16
|
|
</pre>
|
|
|
|
<p>To verify the signature of the package you downloaded, you will need
|
|
to download the ".asc" file as well. Assuming you downloaded the
|
|
package and its signature to your Desktop, run:</p>
|
|
|
|
<pre>gpg --verify /Users/Alice/TorBrowser-<version-torbrowserbundleosx32>-osx-i386-en-US.zip{.asc,}</pre>
|
|
|
|
<p>The output should say "Good signature": </p>
|
|
|
|
<pre>
|
|
gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
|
|
gpg: Good signature from "Erinn Clark <erinn@torproject.org>"
|
|
gpg: aka "Erinn Clark <erinn@debian.org>"
|
|
gpg: aka "Erinn Clark <erinn@double-helix.org>"
|
|
gpg: WARNING: This key is not certified with a trusted signature!
|
|
gpg: There is no indication that the signature belongs to the owner.
|
|
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
|
|
</pre>
|
|
|
|
<p>
|
|
Notice that there is a warning because you haven't assigned a trust
|
|
index to this person. This means that GnuPG verified that the key made
|
|
that signature, but it's up to you to decide if that key really belongs
|
|
to the developer. The best method is to meet the developer in person and
|
|
exchange key fingerprints.
|
|
</p>
|
|
|
|
<h3>Linux</h3>
|
|
<hr>
|
|
|
|
<p>Most Linux distributions come with gpg preinstalled, so users
|
|
who want to verify the Tor Browser Bundle for Linux (or the source
|
|
tarball) can just follow along with the instructions above for
|
|
"Mac OS X". Note that sometimes Sebastian Hahn (key 0x140C961B)
|
|
signs the Linux TBB packages.</p>
|
|
|
|
<p>If you're using the <b>Debian</b> packages, you should read the
|
|
instructions on <a href="<page docs/debian>#packages">importing
|
|
these keys to apt</a>.</p>
|
|
|
|
<p>If you're using the <b>RPMs</b>, you can manually verify the
|
|
signatures on the RPM packages by <pre>rpm -K filename.rpm</pre></p>
|
|
|
|
<p>See <a
|
|
href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
|
|
to learn more about GPG.</p>
|
|
|
|
</div>
|
|
<!-- END MAINCOL -->
|
|
<div id = "sidecol">
|
|
#include "side.wmi"
|
|
#include "info.wmi"
|
|
</div>
|
|
<!-- END SIDECOL -->
|
|
</div>
|
|
<!-- END CONTENT -->
|
|
#include <foot.wmi>
|
|
|