[tor-bugs] #13273 [Website]: Clarify verifying-signatures.html for builds not signed by erinn
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 27 19:00:45 UTC 2014
#13273: Clarify verifying-signatures.html for builds not signed by erinn
--------------------------------------+---------------------
Reporter: seeess | Owner:
Type: defect | Status: new
Priority: trivial | Milestone:
Component: Website | Version:
Keywords: gpg public key not found | Actual Points:
Parent ID: | Points:
--------------------------------------+---------------------
I downloaded tor-0.2.5.8-rc.tar.gz with the .asc and tried to verify them.
Clicking the "what's this" next to the asc file brings me to
https://www.torproject.org/docs/verifying-signatures.html.en
That site is only focused on tor browser builds and says
"Erinn Clark signs the Tor Browser Bundles. Import her key..."
I must've missed the "tor browser" part and assumed erinn signed all
builds. Following the instructions gives me
gpg --verify tor-0.2.5.8-rc.tar.gz.asc tor-0.2.5.8-rc.tar.gz
gpg: Signature made Tue 23 Sep 2014 01:47:29 AM UTC using RSA key ID
19F78451
gpg: Can't check signature: public key not found
The problem is it looks like roger signs the alpha builds. I figured this
out googling around and finding https://www.torproject.org/docs/signing-
keys.html
Suggested fix:
Mention the "public key not found" error on verifying-signatures.html,
instruct users to download roger's key.
and/or have a different "what's this" page linked next to the alpha builds
(and anything else erinn doesn't sign)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13273>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list