[or-cvs] r18040: {} Move the "Verifying Singatures" page from the Wiki to the we (website/trunk/en)

sebastian at seul.org sebastian at seul.org
Fri Jan 9 11:19:35 UTC 2009 

Author: sebastian
Date: 2009-01-09 06:19:35 -0500 (Fri, 09 Jan 2009)
New Revision: 18040

Added:
   website/trunk/en/verifying-signatures.wml
Log:
Move the "Verifying Singatures" page from the Wiki to the website.

Added: website/trunk/en/verifying-signatures.wml
===================================================================
--- website/trunk/en/verifying-signatures.wml	                        (rev 0)
+++ website/trunk/en/verifying-signatures.wml	2009-01-09 11:19:35 UTC (rev 18040)
@@ -0,0 +1,117 @@
+## translation metadata
+# Revision: $Revision$
+# Translation-Priority: 3-medium
+
+#include "head.wmi" TITLE="Verifying Signatures" CHARSET="UTF-8"
+
+<div class="main-column">
+
+<h2>Verifying signatures on released files</h2>
+<hr />
+
+<p>Each file on <a href="<page download>">our download page</a> is accompanied
+by a file with the same name and the extension ".asc".</p>
+
+<p>These are PGP signatures, so you can verify that the file you've downloaded
+is exactly the one that we intended you to get.</p>
+
+<p>Of course, you'll need to have our pgp keys in your keyring: if you don't
+know the pgp key, you can't be sure that it was really us who signed it. The
+signing keys we use are Roger's (0x28988BF5) and Nick's (0x165733EA, or its
+subkey 0x8D29319A). Some binary packages may also be signed by Andrew's
+(0x31B0974B), Peter's (0x94C09C7F, or its subkey 0xAFA44BDD), or Matt's
+(0x5FA14861). See keyserver.noreply.org for details.</p>
+
+<p>You can import keys directly from GnuPG as well:</p>
+
+<pre>gpg --keyserver subkeys.pgp.net --recv-keys 0x28988BF5</pre>
+
+<p>or search for keys with</p>
+
+<pre>gpg --keyserver subkeys.pgp.net --search-keys
+0x28988BF5</pre>
+
+<p>and when you select one, it will be added to your keyring.</p>
+
+<p>The fingerprints for the keys should be:</p>
+
+<pre>
+pub   1024D/28988BF5 2000-02-27
+      Key fingerprint = B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
+uid                  Roger Dingledine <arma at mit.edu>
+
+pub   3072R/165733EA 2004-07-03
+      Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA
+uid                  Nick Mathewson <nickm at alum.mit.edu>
+uid                  Nick Mathewson <nickm at wangafu.net>
+uid                  Nick Mathewson <nickm at freehaven.net>
+
+pub  1024D/31B0974B 2003-07-17
+     Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974B
+uid                  Andrew Lewman (phobos) <phobos at rootme.org>
+
+pub   1024D/94C09C7F 1999-11-10
+      Key fingerprint = 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F
+uid                  Peter Palfrader
+uid                  Peter Palfrader <peter at palfrader.org>
+uid                  Peter Palfrader <weasel at debian.org>
+
+pub   1024D/5FA14861 2005-08-17
+      Key fingerprint = 9467 294A 9985 3C9C 65CB  141D AF7E 0E43 5FA1 4861
+uid                  Matt Edman <edmanm at rpi.edu>
+uid                  Matt Edman <Matt_Edman at baylor.edu>
+uid                  Matt Edman <edmanm2 at cs.rpi.edu>
+sub   4096g/EA654E59 2005-08-17
+</pre>
+
+<p>(Of course if you want to be really certain that those are the real ones
+(this wiki could have been tampered with) then you should check this from more
+places or even better get into key signing and build a trust path to those
+keys.)</p>
+
+<p>If you're using GnuPG, then put the .asc and the download in the same
+directory and type "gpg (whatever).asc". It will say something like "Good
+signature" or "BAD signature" using the following type of command:</p>
+
+<pre>
+gpg --verify tor-0.1.0.17.tar.gz.asc
+gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5
+gpg: Good signature from "Roger Dingledine <arma at mit.edu>"
+gpg:                 aka "Roger Dingledine <arma at mit.edu>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
+</pre>
+
+<p>
+Notice that there is a warning because you haven't assigned a trust index to
+this user. This means that your program verified the key made that signature.
+It's up to the user to decide if that key really belongs to the developers. The
+best method is to meet them in person and exchange gpg fingerprints. Keys can
+also be signed. If you look up arma or nick's keys, other people have
+essentially said "we have verified this is arma/nick". So if you trust that
+third party, then you have a level of trust for that arma/nick.
+</p>
+
+<p>All this means is you can ignore the message or assign a trust level.</p>
+
+<p>For your reference, this is an example of a <em>BAD</em> verification. It
+means that the signature and file contents do not match:</p>
+
+<pre>
+gpg --verify tor-0.1.0.17.tar.gz.asc
+gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5
+gpg: BAD signature from "Roger Dingledine <arma at mit.edu>"
+</pre>
+
+<p>If you see a message like the above one, then you should not have any trust
+in the file contents.</p>
+
+<p>If you are running Tor on Debian you should read the instructions on
+<a
+href="https://wiki.torproject.org/noreply/TheOnionRouter/TorOnDebian">importing
+these keys to apt</a>.</p>
+
+</div><!-- #main -->
+
+#include <foot.wmi>

More information about the tor-commits mailing list