commit 181d059fa2448158675736e352c926602320a485 Author: Georg Koppen gk@torproject.org Date: Wed Dec 23 14:28:39 2015 +0000
Update signature verification page
This update fixes bug 17851 by changing all http:// links to gpg related websites to https:// ones. Furthermore, it incorporates feedback Josef provided to us with respect to signature and SHA256 sums verification on OS X. Thirdly, we need to set LD_LIBRARY_PATH to be able to strip MAR signatures. And, finally, this patch cleans up the GPG output of the Tor Browser developers signing key. --- docs/en/verifying-signatures.wml | 41 ++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 22 deletions(-)
diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml index 8740062..45ffb28 100644 --- a/docs/en/verifying-signatures.wml +++ b/docs/en/verifying-signatures.wml @@ -36,7 +36,7 @@ you're talking to the Tor website with https when you're not.</p>
<p>Some software sites list <a - href="http://en.wikipedia.org/wiki/Cryptographic_hash_function%22%3Esha1 + href="https://en.wikipedia.org/wiki/Cryptographic_hash_function%22%3Esha1 hashes</a> alongside the software on their website, so users can verify that they downloaded the file without any errors. These "checksums" help you answer the question "Did I download this file @@ -60,7 +60,7 @@ <hr> <p>You need to have GnuPG installed before you can verify signatures. Download it from <a - href="http://gpg4win.org/download.html%22%3Ehttp://gpg4win.org/download.html</a>.</p> + href="https://gpg4win.org/download.html%22%3Ehttps://gpg4win.org/download.html</a>.</p> <p>Once it's installed, use GnuPG to import the key that signed your package. Since GnuPG for Windows is a command-line tool, you will need to use <i>cmd.exe</i>. Unless you edit your PATH environment variable, @@ -80,7 +80,6 @@ uid Tor Browser Developers (signing key) torbrowser@torproject.org sub 4096R/F65C2036 2014-12-15 sub 4096R/D40814E0 2014-12-15 - sub 4096R/589839A3 2014-12-15 </pre> <p>To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the @@ -96,8 +95,7 @@ <p>Currently valid subkey fingerprints are: <pre> 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036 - BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0 - 05FA 4425 3F6C 19A8 B7F5 18D4 2D00 0988 5898 39A3</pre></p> + BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0</pre></p> <p> Notice that there is a warning because you haven't assigned a trust index to this person. This means that GnuPG verified that the key made @@ -110,7 +108,7 @@
<p>You need to have GnuPG installed before you can verify signatures. If you are using Mac OS X, you can install it from <a - href="http://www.gpgtools.org/%22%3Ehttp://www.gpgtools.org/</a>. If you + href="https://www.gpgtools.org/%22%3Ehttps://www.gpgtools.org/</a>. If you are using Linux, then it's probably you already have GnuPG in your system, as most Linux distributions come with it preinstalled. </p> @@ -133,17 +131,14 @@ Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 uid Tor Browser Developers (signing key) torbrowser@torproject.org sub 4096R/F65C2036 2014-12-15 - sub 4096R/D40814E0 2014-12-15 - sub 4096R/589839A3 2014-12-15 - </pre> - + sub 4096R/D40814E0 2014-12-15</pre> <p>To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the - package and its signature to your Desktop, run:</p> + package and its signature to your Downloads folder, run:</p>
<strong>For Mac OS X users</strong>:<br /> - <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre> - + <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre> + <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br /> <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>
@@ -157,8 +152,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290</pre> <p> Currently valid subkey fingerprints are: <pre> 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036 - BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0 - 05FA 4425 3F6C 19A8 B7F5 18D4 2D00 0988 5898 39A3</pre></p> + BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0</pre></p> <p> Notice that there is a warning because you haven't assigned a trust index to this person. This means that GnuPG verified that the key made @@ -177,7 +171,7 @@ </p>
<p>See <a - href="http://www.gnupg.org/documentation/%22%3Ehttp://www.gnupg.org/documentation/</a> + href="https://www.gnupg.org/documentation/%22%3Ehttps://www.gnupg.org/documentatio...</a> to learn more about GnuPG.</p>
<hr> @@ -204,14 +198,16 @@ file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file. They can all be found in the same directory under <a href="https://www.torproject.org/dist/torbrowser/"> - https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1' - for Tor Browser 4.5.1.</li> + https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux32>' + for Tor Browser <version-torbrowserbundlelinux32>.</li> + <li>In case your operating system is adding the .txt extension + automatically to the SHA256 sums signature file strip it again by running + <pre>mv sha256sums-unsigned-build.txt.asc.txt sha256sums-unsigned-build.txt.asc</pre> <li>Retrieve the signers' GPG keys. This can be done from the command line by entering something like <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre> (This will bring you the public part of the Tor Browser developers' - signing key. Other - developers' key IDs can be found on + signing key. Other developers' key IDs can be found on <a href="<page docs/signing-keys>">this page</a>.)</li> <li>Verify the sha256sums-unsigned-build.txt file by executing this @@ -230,7 +226,7 @@ Windows you can use the <a href="http://md5deep.sourceforge.net/"> hashdeep utility</a> and run <pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre> - On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li> + On Mac or Linux you can run <pre>shasum -a 256 <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li> <li>You will see a string of letters and numbers.</li> <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li> <li>Locate the name of the Tor Browser file you downloaded.</li> @@ -241,7 +237,7 @@ </ul>
<p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a> - to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> + to <a href="https://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> these steps have been written, but to use them you will need to modify them yourself with the latest Tor Browser filename.</p>
@@ -263,6 +259,7 @@ <pre> cd /path/to/MAR/file unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip + export LD_LIBRARY_PATH=/path/to/MAR/file/mar-tools mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre> <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt> with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or