[tor-bugs] #31254 [Webpages/Support]: Tor Support Portal "How can I verify Tor Browser's signature" has inaccurate instructions that can prevent signature verification of Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jul 26 21:03:28 UTC 2019 

#31254: Tor Support Portal "How can I verify Tor Browser's signature" has
inaccurate instructions that can prevent signature verification of Tor
Browser
-------------------------------------------------+-------------------------
 Reporter:  monmire                              |          Owner:  hiro
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Component:
                                                 |  Webpages/Support
  Version:                                       |       Severity:  Normal
 Keywords:  Support Portal instructions can      |  Actual Points:
  prevent signature verification - issue         |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
 At https://support.torproject.org/tbb/how-to-verify-signature/, [[BR]]
 the subsection {{{macOS and Linux" / For macOS users}}}[[BR]] presents
 instructions to mac OS users to run terminal command [[BR]]
 {{{gpg --verify ~/Downloads/TorBrowser-8.0.8-osx64_en-US.dmg{.asc,} }}}

 On macOS, running that command returns terminal output [[BR]]
 {{{gpg: no valid OpenPGP data found.}}}[[BR]]
 {{{gpg: the signature could not be verified.}}}[[BR]]
 {{{Please remember that the signature file (.sig or .asc)}}}[[BR]]
 {{{should be the first file given on the command line.}}}

 However, running terminal command [[BR]]
 {{{gpg --verify ~/Downloads/{.asc,} TorBrowser-8.0.8-osx64_en-US.dmg}}}
 [[BR]]
 returns terminal output [[BR]]
 {{{gpg: Signature made Mon Jul  8 03:56:12 2019 PDT}}} [[BR]]
 {{{gpg: using RSA key EB774491D9FF06E2}}} [[BR]]
 {{{gpg: Good signature from "Tor Browser Developers (signing key)
 <torbrowser at torproject.org>"}}}
 ----
 If we instruct new Tor Browser users, who might become discouraged by the
 terminal return [[BR]]
 {{{gpg: no valid OpenPGP data found.}}}[[BR]]
 {{{gpg: the signature could not be verified.}}}[[BR]]
 {{{Please remember that the signature file (.sig or .asc)}}}[[BR]]
 {{{should be the first file given on the command line.}}} [[BR]]
 to instead run terminal command [[BR]]
 {{{gpg --verify ~/Downloads/{.asc,} TorBrowser-8.0.8-osx64_en-US.dmg}}},
 [[BR]]
 perhaps more Tor Browser users with less experience might complete a
 proper verification of Tor Browser's signature, and Tor Browser might gain
 more new users.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31254>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list