[tor-commits] [webwml/master] Bug 15598: Update documentation for TB 4.5

mikeperry at torproject.org mikeperry at torproject.org
Tue Apr 28 06:19:40 UTC 2015 

commit 7ea8ace5379cf5a656ef7ead5d4ea8467f549b00
Author: Georg Koppen <gk at torproject.org>
Date:   Mon Apr 27 11:19:11 2015 +0000

    Bug 15598: Update documentation for TB 4.5
    
    Refer to the Tor Browser signing key throughout the whole verifying-
    signatures document.
    
    Add documentation for stripping off the authenticode signatures of the
    Windows installers.
---
 docs/en/verifying-signatures.wml |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml
index 89522d4..da1f4eb 100644
--- a/docs/en/verifying-signatures.wml
+++ b/docs/en/verifying-signatures.wml
@@ -207,8 +207,9 @@
       for TBB 3.6.1.</li>
       <li>Retrieve the signers' GPG keys. This can be done from the command
       line by entering something like
-      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
-      (This will bring you developer Mike Perry's public key. Other
+      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>
+      (This will bring you the public part of the Tor Browser developers'
+       signing key. Other
       developers' key IDs can be found on
       <a href="<page docs/signing-keys>">this
       page</a>.)</li>
@@ -216,6 +217,13 @@
       <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li>
       <li>You should see a message like "Good signature from <DEVELOPER
       NAME>". If you don't, there is a problem. Try these steps again.</li>
+      <li>If you want to verify a Windows Tor Browser package you need to first
+      strip off the authenticode signature of it. One tool that can be used for
+      this purpose is <a
+      href="http:/osslsigncode.sourceforge.net">osslsigncode</a>. Assuming you
+      have built it on a Linux computer you can enter
+      <pre>/path/to/your/osslsigncode remove-signature \
+        /path/to/your/<TOR BROWSER FILE NAME>.exe <TOR BROWSER FILE NAME>.exe</pre></li>
       <li>Now you can take the sha256sum of the Tor Browser package. On
       Windows you can use the <a href="http://md5deep.sourceforge.net/">
       hashdeep utility</a> and run

More information about the tor-commits mailing list