commit 7ea8ace5379cf5a656ef7ead5d4ea8467f549b00 Author: Georg Koppen gk@torproject.org Date: Mon Apr 27 11:19:11 2015 +0000
Bug 15598: Update documentation for TB 4.5
Refer to the Tor Browser signing key throughout the whole verifying- signatures document.
Add documentation for stripping off the authenticode signatures of the Windows installers. --- docs/en/verifying-signatures.wml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml index 89522d4..da1f4eb 100644 --- a/docs/en/verifying-signatures.wml +++ b/docs/en/verifying-signatures.wml @@ -207,8 +207,9 @@ for TBB 3.6.1.</li> <li>Retrieve the signers' GPG keys. This can be done from the command line by entering something like - <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre> - (This will bring you developer Mike Perry's public key. Other + <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre> + (This will bring you the public part of the Tor Browser developers' + signing key. Other developers' key IDs can be found on <a href="<page docs/signing-keys>">this page</a>.)</li> @@ -216,6 +217,13 @@ <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li> <li>You should see a message like "Good signature from <DEVELOPER NAME>". If you don't, there is a problem. Try these steps again.</li> + <li>If you want to verify a Windows Tor Browser package you need to first + strip off the authenticode signature of it. One tool that can be used for + this purpose is <a + href="http:/osslsigncode.sourceforge.net">osslsigncode</a>. Assuming you + have built it on a Linux computer you can enter + <pre>/path/to/your/osslsigncode remove-signature \ + /path/to/your/<TOR BROWSER FILE NAME>.exe <TOR BROWSER FILE NAME>.exe</pre></li> <li>Now you can take the sha256sum of the Tor Browser package. On Windows you can use the <a href="http://md5deep.sourceforge.net/"> hashdeep utility</a> and run