[tor-talk] How to verify the authenticity of the Torbutton xpi file
Michael Gomboc
michael.gomboc at gmail.com
Fri Sep 23 15:28:16 UTC 2011
OK, I guess I know too less about PGP. So, if someone does not have the
private key, they cannot provide the right signature. So even if you
download the signature and the file from a fake page, you would notice by
checking the authenticity. Is that right?
Thanks again. :-)
2011/9/23 <tor at lists.grepular.com>
> On 23/09/11 15:10, Michael Gomboc wrote:
>
> > Thanks Andrew. But when the SSL certificate is faked....
>
> If you have the public key which corresponds to the private key which
> was used to create the signature, then it doesn't matter if the SSL
> certificate is faked. Even using non-SSL http would be fine.
>
> https://www.torproject.org/docs/verifying-signatures. hhtml<https://www.torproject.org/docs/verifying-signatures.html>
>
> If the file, or the signature file you download are tampered with, doing
> this verification will alert you to that fact.
>
> --
> Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
> Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
> PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
>
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>
--
Michael Gomboc
*
*pgp-id: 0x5D41FDF8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110923/65adedcc/attachment-0001.htm>
More information about the tor-talk
mailing list