[tor-commits] [collector/master] Release README for CollecTor task-19813, derived from metrics-lib.

karsten at torproject.org karsten at torproject.org
Thu Aug 11 08:44:43 UTC 2016


commit af58ba5dabfa323231445bb88fb25051d5a7c154
Author: iwakeh <iwakeh at torproject.org>
Date:   Wed Aug 10 15:53:32 2016 +0200

    Release README for CollecTor task-19813, derived from metrics-lib.
---
 README.md | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b5b3e33
--- /dev/null
+++ b/README.md
@@ -0,0 +1,62 @@
+CollecTor -- The friendly data-collecting service in the Tor network
+====================================================================
+
+CollecTor fetches data from various nodes and services in the public
+Tor network and makes it available to the world.
+
+Verifying releases
+------------------
+
+Releases can be cryptographically verified to get some more confidence that
+they were put together by a Tor developer.  The following steps explain the
+verification process by example.
+
+Download the release tarball and the separate signature file:
+
+```
+wget https://dist.torproject.org/collector/1.0.0/collector-1.0.0.tar.gz
+wget https://dist.torproject.org/collector/1.0.0/collector-1.0.0.tar.gz.asc
+```
+
+Attempt to verify the signature on the tarball:
+
+```
+gpg --verify collector-1.0.0.tar.gz.asc
+```
+
+If the signature cannot be verified due to the public key of the signer
+not being locally available, download that public key from one of the key
+servers and retry:
+
+```
+gpg --keyserver pgp.mit.edu --recv-key 0x4EFD4FDC3F46D41E
+gpg --verify collector-1.0.0.tar.gz.asc
+```
+
+If the signature still cannot be verified, something is wrong!
+
+But note that even if it can be verified, you now only know that the
+signature was made by the person claiming to own this key, which could be
+anyone.  You'll need a trust path to the owner of this key in order to
+trust this signature, but that's clearly out of scope here.  In short,
+your best chance is to meet a Tor developer in real life and enter the web
+of trust.
+
+If you want to go one step further in the verification game, you can
+verify the signature on the .jar files.
+
+Print and then import the provided X.509 certificate:
+
+```
+keytool -printcert -file CERT
+keytool -importcert -alias karsten -file CERT
+```
+
+Verify the signatures on the contained .jar files using Java's jarsigner
+tool:
+
+```
+jarsigner -verify collector-1.0.0.jar
+jarsigner -verify collector-1.0.0-sources.jar
+```
+



More information about the tor-commits mailing list