Author: mttp Date: 2014-05-12 23:25:52 +0000 (Mon, 12 May 2014) New Revision: 26775 Modified: website/trunk/docs/en/faq.wml website/trunk/docs/en/verifying-signatures.wml Log: Moved verification instructions from the FAQ to verifying-signatures. Modified: website/trunk/docs/en/faq.wml =================================================================== --- website/trunk/docs/en/faq.wml 2014-05-12 16:40:43 UTC (rev 26774) +++ website/trunk/docs/en/faq.wml 2014-05-12 23:25:52 UTC (rev 26775) @@ -1606,50 +1606,10 @@ <h3><a class="anchor" href="#VerifyDownload">How do I verify the download (sha256sums.txt)?</a></h3> - <p>You can still verify your Tor Browser download by downloading the - signature file (.asc) along with your package and <a - href="<page docs/verifying-signatures>"> - checking the GPG signature</a> as before. We now have an additional - verification method that allows you to verify the build as well as - the download.</p> + <p>Instructions are on the <a + href="<page docs/verifying-signatures#BuildVerification>">verifying + signatures</a> page.</p> - <ul> - <li>Download the Tor Browser package, the sha256sums.txt file, and the - sha256sums signature files. They can all be found in the same directory - under <a href="https://www.torproject.org/dist/torbrowser/"> - https://www.torproject.org/dist/torbrowser/</a>, for example in 3.5 - for TBB 3.5.</li> - <li>Retrieve the signers' GPG keys. This can be done from the command - line by entering something like - <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre> - (This will bring you developer Mike Perry's public key. Other - developers' key IDs can be found on - <a href="<page docs/signing-keys>">this - page</a>.)</li> - <li>Verify the sha256sums.txt file by executing this command: - <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li> - <li>You should see a message like "Good signature from <DEVELOPER - NAME>". If you don't, there is a problem. Try these steps again.</li> - <li>Now you can take the sha256sum of the Tor Browser package. On - Windows you can use the <a href="http://md5deep.sourceforge.net/"> - hashdeep utility</a> and run - <pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre> - On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.zip</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li> - <li>You will see a string of letters and numbers.</li> - <li>Open sha256sums.txt in a text editor.</li> - <li>Locate the name of the Tor Browser file you downloaded.</li> - <li>Compare the string of letters and numbers to the left of your - filename with the string of letters and numbers that appeared - on your command line. If they match, you've successfully verified the - build.</li> - </ul> - - <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures"> - Scripts</a> to <a - href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate - </a> these steps have been written, but to use them you will need to - modify them yourself with the latest Tor Browser Bundle filename.</p> - <hr> <a id="NewIdentityClosingTabs"></a> Modified: website/trunk/docs/en/verifying-signatures.wml =================================================================== --- website/trunk/docs/en/verifying-signatures.wml 2014-05-12 16:40:43 UTC (rev 26774) +++ website/trunk/docs/en/verifying-signatures.wml 2014-05-12 23:25:52 UTC (rev 26775) @@ -179,6 +179,63 @@ href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a> to learn more about GPG.</p> + <hr> + + <a id="BuildVerification"></a> + <h3><a class="anchor" href="#BuildVerification"> + Verifying sha256sums (advanced)</a></h3> + <hr> + <p>Build reproducibility is a <a + href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security + property</a> of Tor Browser Bundle 3.0 and later. Anyone can build the + Tor Browser Bundle on their own machine and produce a binary that is + bit-for-bit identical to the binary we offer on the download page. + Fortunately, it is not necessary for everyone to build the Tor Browser + locally to get this security. Verifying and comparing the signed list + of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a> + will confirm that multiple people have built Tor Browser Bundles + identical to the download.</p> + + <p>The steps below walk through this process:</p> + + <ul> + <li>Download the Tor Browser package, the sha256sums.txt file, and the + sha256sums signature files. They can all be found in the same directory + under <a href="https://www.torproject.org/dist/torbrowser/"> + https://www.torproject.org/dist/torbrowser/</a>, for example in '3.5' + for TBB 3.5.</li> + <li>Retrieve the signers' GPG keys. This can be done from the command + line by entering something like + <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre> + (This will bring you developer Mike Perry's public key. Other + developers' key IDs can be found on + <a href="https://www.torproject.org/docs/signing-keys.html.en">this + page</a>.)</li> + <li>Verify the sha256sums.txt file by executing this command: + <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li> + <li>You should see a message like "Good signature from <DEVELOPER + NAME>". If you don't, there is a problem. Try these steps again.</li> + <li>Now you can take the sha256sum of the Tor Browser package. On + Windows you can use the <a href="http://md5deep.sourceforge.net/"> + hashdeep utility</a> and run + <pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre> + On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.zip</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li> + <li>You will see a string of letters and numbers.</li> + <li>Open sha256sums.txt in a text editor.</li> + <li>Locate the name of the Tor Browser file you downloaded.</li> + <li>Compare the string of letters and numbers to the left of your + filename with the string of letters and numbers that appeared + on your command line. If they match, you've successfully verified the + build.</li> + </ul> + + <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a> + to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> + these steps have been written, but to use them you will need to modify + them yourself with the latest Tor Browser Bundle filename.</p> + + <hr> + </div> <!-- END MAINCOL --> <div id = "sidecol">