[tor-bugs] #33548 [Webpages/Website]: Help with How to verify download signature-Instructions unclear or missing for Linux

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Mar 8 03:02:13 UTC 2020


#33548: Help with How to verify download signature-Instructions unclear or missing
for Linux
-------------------------------------------------+-------------------------
 Reporter:  AntiDiluv                            |          Owner:  hiro
     Type:  defect                               |         Status:  new
 Priority:  Very High                            |      Component:
                                                 |  Webpages/Website
  Version:  Tor: unspecified                     |       Severity:  Normal
 Keywords:  Download,  Linux 32, Knoppix,        |  Actual Points:
  signatures, keys                               |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
 At https://support.torproject.org/tbb/how-to-verify-signature/ I'm finding
 no help, as a newbie. Suggest that you add a line or 2 that would help
 greatly: see below. Summary: I'm a new user of Knoppix 8.1. I've cc'd it
 to a USB drive but haven't yet found a thesaurus that gives lists of
 commands so a beginner can speak to 1 of the several terminals. Online and
 in the software, knowledge of command line language is simply assumed.
  The onboard Tor downloader does not work and I don't know how to monkey
 with it. Yesterday I magically, effortlessly went to the Tor site on
 Firefox, downloaded Tor for Linux 32bit, and somehow intuited that by
 going to Properties in one of the files, I could find checksums, copy them
 to another slot in Properties, & Bingo, they matched. I had read about
 checksums before, but had never discovered where to find them or how to
 match them. Now I just discovered this by accident. I felt secure in
 opening that archive. It effortlessly deployed and I had one night of
 fast, lovely use of TOR as I used to have in Windows 7.
    Today of course all my settings are gone, Tor is gone, and I had to
 start over. (I found online instructions by the author of Knoppix- from
 the 90s- as to how to configure Knoppix to save settings -to a floppy
 drive- for a start menu with items that don't exist anymore, which I can't
 find in the system. This seems typical.)
    Today when I downloaded Tor and extracted the archive I found NO files
 with Properties that included checksums.
 SUGGESTION: IT WOULD BE GREAT IF YOU INCLUDED INSTRUCTIONS ABOUT THIS ON
 YOUR HOW-TO-VERIFY-SIG PAGE.
    So I deleted Tor and downloaded again.Same deal. Deleted again.
    I next reviewed the instructions at https://support.torproject.org/tbb
 /how-to-verify-signature/
    Your first suggestion is to download the signature file that
 accompanies each download, w/an .asc extension.
    I have never been able to figure this out when I used Windows 7, nor
 could I now at https://www.torproject.org/download/languages/ . Under
 GNU/Linux, I can click on 32bit and get the download; and I can click on
 (sig) and open a tab that shows a long sequence of digits, with BEGIN PGP
 SIGNATURE and END PGP SIGNATURE bookending it. I see that the tab indeed
 has the name of the file + .asc. But I don't see any way to download this
 as an .asc file. The tab just opens and displays the digit string.
    SUGGESTION: TELL US HOW TO MAKE IT DOWNLOAD AS A FILE.
    If it is downloading automatically when I download the TOR archive, I
 don't know where it is.
    SUGGESTION: TELL US WHERE WE SHOULD LOOK FOR IT, IF IT IS DOWNLOADING.
    So I copied the string of numbers to the little text writer, leaf.txt,
 and saved that in Downloads with the file name + .asc.
    But I doubt that's going to work as your instructions
 prescribe.Actually,that still leaves a question: there are no further
 instructions.
 SUGGESTION: TELL US WHAT ONE IS SUPPOSED TO DO WITH THE .ASC FILE, ONCE
 LOCATED.
   Next I went to your second suggestion,"FETCHING" the Tor Developers Key.
 Luckily, you hinted at method in saying I would have to type in a
 terminal.
 I found a terminal and typed in what you said to do, and was very
 gratified to find that it generated exactly what you predicted.
   How frustrating then, your next instruction:
      After importing the key, you can save it to a file (identifying it by
 fingerprint here):
         gpg --output ./tor.keyring --export
 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
   You were doing so well. Up til then as a normal newbie I was able to
 follow all instructions. Here they devolved into opaque geekspeak.
 SUGGESTION: GIVE A CLUE AS TO HOW TO SAVE TO A FILE from where we're just
 hanging at a line in a terminal.
         And WHAT DOES IT MEAN TO IDENTIFY BY a FINGERPRINT?
   If this is impossible because terminals and their languages are vastly
 different,
 at least define these terms.
   Maybe someone can advise as to where to find simple commands in KDE for
 beginners. The KDE site is just for developers.
 I've been 5 days holed up trying to figure out how to do basic things. I'm
 hungry; I have to go to the bathroom. I'd like to check my mail. People
 must think I've died.
 Hope you can help me and others. Thanks.
   BTW the download says it's v.9.0.5. The form to submit this ticket asks
 for version, but the only permitted fill-ins are variants of version
 4...?? So I said unspecified.
 SUGGESTION: Resolve this apparent mystery.
   AND I am u nable to compose a Summary to the satisfaction of this Form:
 it keeps saying Error Loading Tickets.I wonder if I'll ever get to send
 this.
 SUGGESTION: Have it give more info, so I can fix it. I don't know what it
 wants.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33548>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list