[tor-bugs] #17425 [Applications/GetTor]: Improve GetTor Signature Section

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Mar 30 18:11:09 UTC 2020 

#17425: Improve GetTor Signature Section
--------------------------------------------+------------------------
 Reporter:  sukhbir                         |          Owner:  (none)
     Type:  defect                          |         Status:  closed
 Priority:  Medium                          |      Milestone:
Component:  Applications/GetTor             |        Version:
 Severity:  Normal                          |     Resolution:  fixed
 Keywords:  anti-censorship-roadmap-2020Q1  |  Actual Points:
Parent ID:  #9036                           |         Points:  1
 Reviewer:                                  |        Sponsor:
--------------------------------------------+------------------------
Changes (by cohosh):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 This was handled in #23226. Here's the current (OS-specific) signature
 section:

 {{{
 Step 2: Verify the signature (Optional)

         Verifying the signature ensures that a certain package was
 generated by its
         developers, and has not been tampered with.  This email provides
 links to signature
         files that have the same name as the Tor Browser file, but end
 with ".asc" instead.

         If you run Windows, download Gpg4win and run its installer. In
 order to verify the
         signature you will need to type a few commands in windows command-
 line, cmd.exe.

         The Tor Browser team signs Tor Browser releases. Import the Tor
 Browser Developers
         signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):

                 gpg --auto-key-locate nodefault,wkd --locate-keys
 torbrowser at torproject.org

         This should show you something like:

                 gpg: key 4E2C6E8793298290: public key "Tor Browser
 Developers (signing key) <torbrowser at torproject.org>" imported
                 gpg: Total number processed: 1
                 gpg:               imported: 1
                 pub   rsa4096 2014-12-15 [C] [expires: 2020-08-24]
                       EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
                 uid           [ unknown] Tor Browser Developers (signing
 key) <torbrowser at torproject.org>
                 sub   rsa4096 2018-05-26 [S] [expires: 2020-09-12]

         After importing the key, you can save it to a file (identifying it
 by fingerprint here):

                 gpg --output ./tor.keyring --export
 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

         Next, you will need to download the corresponding ".asc" signature
 file and verify it
         with the command:

                 gpgv --keyring .\tor.keyring Downloads\torbrowser-
 install-9.0.4_ar.exe.asc Downloads\torbrowser-install-9.0.4_ar.exe

         The result of the command should produce something like this:

                 gpgv: Signature made 07/08/19 04:03:49 Pacific Daylight
 Time
                 gpgv:                using RSA key EB774491D9FF06E2
                 gpgv: Good signature from "Tor Browser Developers (signing
 key) <torbrowser at torproject.org>"
 }}}
 You can see #23226 for examples of the other operating systems. The
 signature text will match the platform of the browser download users
 requested.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17425#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list