[tor-bugs] #9864 [- Select a component]: Make it easier for users to do file verification

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Oct 1 20:01:34 UTC 2013 

#9864: Make it easier for users to do file verification
-------------------------------------------------+-------------------------
 Reporter:  mttp                                 |          Owner:  Sherief
     Type:  project                              |         Status:  new
 Priority:  normal                               |      Milestone:
Component:  - Select a component                 |        Version:
 Keywords:  usability, firefox, GPG, signatures  |  Actual Points:
Parent ID:                                       |         Points:
-------------------------------------------------+-------------------------
 Verifying the contents of the Tor Browser Bundle seems to be one of the
 most confusing things that we ask users to do. The help desk often gets
 requests from users seeking guidance on verifying bundles.

 The website documentation on file signature verification we have can be
 found at https://www.torproject.org/docs/verifying-signatures.html.en.
 Multiple users have reported that these inctructions are confusing. I
 don't think this entirely the fault of the page's author.

 There are several issues here to consider:

 1) On the file verification page we tell Windows users to download Gpg4win
 so they can download the bundles. Unfortunately there's no verification
 tool for gpg4win.

 2) The signature verification page will be out-of-date once TBB 3 becomes
 stable. Verifying TBB 3 requires users to verify a signed text file of
 sha256sums, and then take the sha256sum of the package and see if it
 matches what's in the signed text file. Currently there is no way to take
 the sha256sum of anything on Windows unles you compile a program to do it
 yourself or download and run an unverified .exe file from any number of
 http-only websites that show up on a google search.

 3) Command line interface is intimidating for many people. There are no
 instructions on our website for using GUI GnuPG frontends.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9864>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list