commit 67fd39679adbb1db5fc1af49e40332037e769508 Author: Georg Koppen gk@torproject.org Date: Mon Dec 12 18:58:41 2016 +0000

Bug 20954: Checking OS X bundles with sha256sum does not work

Due to Apple's codesigning requirement one can't simply compare hash values to check whether a self-compiled bundle is matching the one we ship. Yet our documentation seems to imply that. We should point this problem out for now until we come up with a better solution. --- docs/en/verifying-signatures.wml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml index 12678b0..95cdb01 100644 --- a/docs/en/verifying-signatures.wml +++ b/docs/en/verifying-signatures.wml @@ -230,7 +230,10 @@ Windows you can use the <a href="http://md5deep.sourceforge.net/"> hashdeep utility</a> and run <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre> - On Mac or Linux you can run <pre>shasum -a 256 &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li> + <p>On Linux you can run</p> + <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> + without having to download a utility. Note: this does not work for OS X + yet due to Apple's codesigning requirement.</li> <li>You will see a string of letters and numbers.</li> <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li> <li>Locate the name of the Tor Browser file you downloaded.</li>