[tor-bugs] #31296 [Webpages/Support]: simplify OpenPGP signature verification instructions

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 13 23:14:45 UTC 2019 

#31296: simplify OpenPGP signature verification instructions
------------------------------+--------------------------
 Reporter:  dkg               |          Owner:  ggus
     Type:  defect            |         Status:  reopened
 Priority:  Medium            |      Milestone:
Component:  Webpages/Support  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+--------------------------
Changes (by monmire):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Platform: Tor Browser 8.5.5 on macOS Mojave version 10.14.6

 Instructions in the current Support documentation for macOS users
 https://support.torproject.org/tbb/how-to-verify-signature/ causes
 attempts to verify the signature to fail.

 The examples below assume that the macOS user has downloaded the files to
 the "Downloads" folder.

 Terminal command

 `gpg --verify ~/Downloads/TorBrowser-8.5.5-osx64_en-US.dmg.asc
 /Downloads/TorBrowser-8.5.5-osx64_en-US.dmg`

 successfully verifies the signature by returning  Terminal message

 `gpg: Signature made Tue Sep  3 06:07:30 2019 PDT`
 `gpg:                                   using RSA key EB774491D9FF06E2`
 `gpg: Good signature from "Tor Browser Developers (signing key)
 <torbrowser at torproject.org>" [ultimate]`

 In the preceding Terminal command, notice that the `TorBrowser-8.5.5
 -osx64_en-US.dmg.asc` file entry precedes the `TorBrowser-8.5.5-osx64_en-
 US.dmg` file entry.

 The current Support documentation instructs macOS users to enter Terminal
 command

 `gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-8.5.4-osx64_en-
 US.dmg{.asc,}`

 The preceding Terminal command returns   Terminal message

 `gpgv: keyblock resource './tor.keyring': No such file or directory`
 `gpgv: no valid OpenPGP data found.`
 `gpgv: the signature could not be verified.`
 `Please remember that the signature file (.sig or .asc)`
 `should be the first file given on the command line.`

 Apparently, macOS users must use Terminal command `gpg --verify`, and the
 `{.asc,}` file must appear before the `{.dmg,}` file in the Terminal
 command line before an attempt to verify the signature can be successful.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list