[tor-bugs] #3893 [Website]: Verifying-signatures needs some work

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sun Aug 12 13:26:54 UTC 2012


#3893: Verifying-signatures needs some work
-------------------------+--------------------------------------------------
 Reporter:  mikeperry    |          Owner:  arma    
     Type:  enhancement  |         Status:  assigned
 Priority:  normal       |      Milestone:          
Component:  Website      |        Version:          
 Keywords:               |         Parent:          
   Points:               |   Actualpoints:          
-------------------------+--------------------------------------------------

Comment(by anonymous6748):

 One of the unfortunate problems with GnuPG on Windows or MacOSX is that
 there's only one distribution of it provided by the gpg4win
 http://www.gpg4win.org team. The authenticity of their binary distribution
 of GnuPG does not have the same level of assurance one can get from the
 distributed copy of GnuPG with a Linux distribution as the iso images for
 those usually include signed sha256 checksums.

 Furthermore it is not recommended to check the signature of a distribution
 of gpg with itself. http://www.gnupg.org/download/integrity_check.html but
 I guess for Windows users this cannot be avoided unless they boot up a
 LiveCD and check it from within there.

 It is unlikely they have a Linux system to check gpg4win's integrity on.

 Perhaps a possibility is to use a X.509 signature like the TrueCrypt team
 does: http://www.truecrypt.org/docs/?s=digital-signatures

 gpg4win's website also isn't https, (hopefully this could change) so the
 MITM vulnerability discussed on the Tor verification page could quite well
 effect the project page. It is at least fortunate that gpgtools
 https://www.gpgtools.org/ uses https and is verified by the StartCom Ltd
 certificate authority.

 In any case I've made some screenshots from a Windows 7 x64 system. These
 should be included with any step-by-step instructions created for Windows.

 Another thing should be noted the gpg4win installer now puts gpg in the
 user's PATH by default so specifying the full path ie "C:\Program Files
 (x86)\GNU\GnuPG\gpg2.exe" is no longer required. Windows users can simply
 just call "gpg2" like Linux and MacOSX  users.

 You should assume your have never used the command prompt, so explaining
 each command is best.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3893#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list