Author: rransom Date: 2012-02-02 04:25:38 +0000 (Thu, 02 Feb 2012) New Revision: 25371
Modified: website/trunk/docs/en/verifying-signatures.wml Log: Specify the bundle on the GPG command line, to block an easy attack
Otherwise, They can put a message with an attached signature in the .asc file, and GPG will call it good.
Modified: website/trunk/docs/en/verifying-signatures.wml =================================================================== --- website/trunk/docs/en/verifying-signatures.wml 2012-02-01 22:33:14 UTC (rev 25370) +++ website/trunk/docs/en/verifying-signatures.wml 2012-02-02 04:25:38 UTC (rev 25371) @@ -97,7 +97,7 @@ to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run:</p>
- <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop<file-win32-bundle-stable>.asc</pre> + <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop<file-win32-bundle-stable></pre>
<p>The output should say "Good signature": </p>
@@ -153,7 +153,7 @@ to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run:</p>
- <pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>.asc</pre> + <pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>{.asc,}</pre>
<p>The output should say "Good signature": </p>
tor-commits@lists.torproject.org