[tor-bugs] #31296 [Webpages/Support]: simplify OpenPGP signature verification instructions

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 31 13:58:02 UTC 2019 

#31296: simplify OpenPGP signature verification instructions
------------------------------+----------------------
 Reporter:  dkg               |          Owner:  hiro
     Type:  defect            |         Status:  new
 Priority:  Medium            |      Milestone:
Component:  Webpages/Support  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+----------------------

Comment (by dkg):

 One additional change that i don't know how to make is to encourage the
 person reading these instructions to identify the correct version number
 that they are installing.  The instructions before my changes had as an
 example the version number `8.0.8`.  In my edits, i updated that to
 `8.5.4` (more current).

 I see three options to make this less tricky/confusing to a new user:

  * update this page upon every release of TBB, so that the version number
 in the instructions matches the version number they download at the time.
 This is the simplest for the novice user who can just copy the commands
 directly without having to learn exactly what they mean.
  * use some sort of explicit placeholder in the text of the page, asking
 the reader explicitly to interpolate (for example) `VERSION` for the
 version that they downloaded.  This ensures that the user actually
 understands what they are doing, while making the verification break for
 users who are confused.
  * use some explicit variable expansion in the command-line instructions
 (e.g. instructing the user to set `TOR_VERSION=8.5.4` as the first step),
 and then doing shell variable expansion in the later stages (e.g.`gpgv
 --keyring ./tor.keyring tor-install-${TOR_VERSION}{.asc,}`).  This makes
 the command line invocations look even more "magic" for users who don't
 know shell, but gives them one explicit step to take to assert the version
 number as part of the verification process.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list