128341c1a26211b7eb4c8241b837f5e601a0aff2
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

1) ## translation metadata
2) # Revision: $Revision$
Sebastian Hahn 2-medium is an actual trans...

Sebastian Hahn authored 15 years ago

3) # Translation-Priority: 2-medium
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

4) 
5) #include "head.wmi" TITLE="Verifying Signatures" CHARSET="UTF-8"
6) 
7) <div class="main-column">
8) 
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

9) <h2>How to verify signatures for packages</h2>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

10) <hr />
11) 
12) <p>Each file on <a href="<page download>">our download page</a> is accompanied
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

13) by a file with the same name as the package and the extension
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

14) ".asc". These .asc files are GPG signatures. They allow you to verify
15) the file you've downloaded is exactly the one that we intended you to
16) get. For example, vidalia-bundle-0.2.1.25-0.2.7.exe is accompanied by
17) vidalia-bundle-0.2.1.25-0.2.7.exe.asc.</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

18) 
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

19) <p>Of course, you'll need to have our GPG keys in your keyring: if you don't
20) know the GPG key, you can't be sure that it was really us who signed it. The
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

21) signing keys we use are:</p>
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

22) <ul>
23) <li>Roger's (0x28988BF5) typically signs the source code file.</li>
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

24) <li>Nick's (0x165733EA, or its subkey 0x8D29319A).</li>
25) <li>Andrew's (0x31B0974B) typically signs the windows packages.</li>
26) <li>Peter's (0x94C09C7F, or its subkey 0xAFA44BDD).</li>
27) <li>Matt's (0x5FA14861).</li>
28) <li>Jacob's (0x9D0FACE4).</li>
29) <li>Erinn's (0x63FEE659) and (0xF1F5C9B5) typically signs the linux packages.</li>
30) </ul>
31) 
32) <h3>Step Zero: Install GnuPG</h3>
33) <hr />
34) <p>You need to have GnuPG installed before you can verify
35) signatures.</p>
36) 
37) <ul>
38) <li>Linux: see <a
39) href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>
40) or install <i>gnupg</i> from the package management system.</li>
41) <li>Windows: see <a
42) href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>. Look
43) for the "version compiled for MS-Windows" under "Binaries".</li>
44) <li>Mac: see <a
45) href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.</li>
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

46) </ul>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

47) 
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

48) <h3>Step One:  Import the keys</h3>
49) <hr />
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

50) <p>The next step is to import the key. This can be done directly from
51) GnuPG. Make sure you import the correct key. For example, if you
52) downloaded a Windows package, you will need to import Andrew's key.</p>
53) 
54) <p><b>Windows:</b></p>
55) <p>GnuPG for Windows is a command line tool, and you will need to use
56) <i>cmd.exe</i>. Unless you edit your PATH environment variable, you will
57) need to tell Windows the full path to the GnuPG program. If you installed GnuPG
58) with the default values, the path should be something like this: <i>C:\Program
59) Files\Gnu\GnuPg\gpg.exe</i>.</p>
60) 
61) <p>To import the key 0x28988BF5, start <i>cmd.exe</i> and type:</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

62) 
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

63) <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --recv-keys 0x28988BF5</pre>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

64) 
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

65) <p><b>Mac and Linux</b></p>
66) <p>Whether you have a Mac or you run Linux, you will need to use the terminal
67) to run GnuPG. Mac users can find the terminal under "Applications". If you run
68) Linux and use Gnome, the terminal should be under "Applications menu" and
69) "Accessories". KDE users can find the terminal under "Menu" and "System".</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

70) 
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

71) <p>To import the key 0x28988BF5, start the terminal and type:</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

72) 
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

73) <pre>gpg --recv-keys 0x28988BF5</pre>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

74) 
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

75) <h3>Step Two:  Verify the fingerprints</h3>
76) <hr />
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

77) <p>After importing the key, you will want to verify that the fingerprint is correct.</p>
78) 
79) <p><b>Windows:</b></p>
80) <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint (insert keyid here)</pre>
81) 
82) <p><b>Mac and Linux</b></p>
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

83) <pre>gpg --fingerprint (insert keyid here)</pre>
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

84) 
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

85) The fingerprints for the keys should be:
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

86) 
87) <pre>
88) pub   1024D/28988BF5 2000-02-27
89)       Key fingerprint = B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

90) uid                  Roger Dingledine &lt;arma@mit.edu&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

91) 
92) pub   3072R/165733EA 2004-07-03
93)       Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

94) uid                  Nick Mathewson &lt;nickm@alum.mit.edu&gt;
95) uid                  Nick Mathewson &lt;nickm@wangafu.net&gt;
96) uid                  Nick Mathewson &lt;nickm@freehaven.net&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

97) 
98) pub  1024D/31B0974B 2003-07-17
99)      Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974B
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

100) uid                  Andrew Lewman (phobos) &lt;phobos@rootme.org&gt;
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

101) uid                  Andrew Lewman &lt;andrew@lewman.com&gt;
102) uid                  Andrew Lewman &lt;andrew@torproject.org&gt;
103) sub   4096g/B77F95F7 2003-07-17
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

104) 
105) pub   1024D/94C09C7F 1999-11-10
106)       Key fingerprint = 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F
107) uid                  Peter Palfrader
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

108) uid                  Peter Palfrader &lt;peter@palfrader.org&gt;
109) uid                  Peter Palfrader &lt;weasel@debian.org&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

110) 
111) pub   1024D/5FA14861 2005-08-17
112)       Key fingerprint = 9467 294A 9985 3C9C 65CB  141D AF7E 0E43 5FA1 4861
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

113) uid                  Matt Edman &lt;edmanm@rpi.edu&gt;
114) uid                  Matt Edman &lt;Matt_Edman@baylor.edu&gt;
115) uid                  Matt Edman &lt;edmanm2@cs.rpi.edu&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

116) sub   4096g/EA654E59 2005-08-17
Jacob Appelbaum Add my gpg key info to the...

Jacob Appelbaum authored 15 years ago

117) 
118) pub   1024D/9D0FACE4 2008-03-11 [expires: 2010-03-11]
119)       Key fingerprint = 12E4 04FF D3C9 31F9 3405  2D06 B884 1A91 9D0F ACE4
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

120) uid                  Jacob Appelbaum &lt;jacob@appelbaum.net&gt;
Jacob Appelbaum Add my gpg key info to the...

Jacob Appelbaum authored 15 years ago

121) sub   4096g/D5E87583 2008-03-11 [expires: 2010-03-11]
Erinn Clark add gpg fingerprint info fo...

Erinn Clark authored 14 years ago

122) 
123) pub   2048R/63FEE659 2003-10-16
124)       Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
125) uid                  Erinn Clark &lt;erinn@torproject.org&gt;
Erinn Clark bump tbb linux version to 1...

Erinn Clark authored 14 years ago

126) uid                  Erinn Clark &lt;erinn@debian.org&gt;
127) uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
Erinn Clark add gpg fingerprint info fo...

Erinn Clark authored 14 years ago

128) sub   2048R/EB399FD7 2003-10-16
129) 
130) pub   1024D/F1F5C9B5 2010-02-03
131)       Key fingerprint = C2E3 4CFC 13C6 2BD9 2C75  79B5 6B8A AEB1 F1F5 C9B5
Erinn Clark bump tbb linux version to 1...

Erinn Clark authored 14 years ago

132) uid                  Erinn Clark &lt;erinn@torproject.org&gt;
Erinn Clark add gpg fingerprint info fo...

Erinn Clark authored 14 years ago

133) sub   1024g/7828F26A 2010-02-03
134) 
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

135) </pre>
136) 
Andrew Lewman Updates to verifying signat...

Andrew Lewman authored 15 years ago

137) <h3>Step Three:  Verify the downloaded package</h3>
138) <hr />
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

139) <p> To verify the signature of the package you downloaded, you will need
140) to download the ".asc" file as well.</p>
141) 
142) <p>In the following examples, the user Alice downloads packages for
143) Windows, Mac OS X and Linux and also verifies the signature of each
144) package. All files are saved on the desktop.</p>
145) 
146) <p><b>Windows:</b></p>
147) <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\vidalia-bundle-0.2.1.25-0.2.7.exe.asc C:\Users\Alice\Desktop\vidalia-bundle-0.2.1.25-0.2.7.exe</pre>
148) 
149) <p><b>Mac:</b></p>
150) <pre>gpg --verify /Users/Alice/vidalia-bundle-0.2.1.25-0.2.7-i386.dmg.asc /Users/Alice/vidalia-bundle-0.2.1.25-0.2.7-i386.dmg</pre>
151) 
152) <p><b>Linux</b></p>
153) <pre>gpg --verify /home/Alice/Desktop/tor-0.2.1.25.tar.gz.asc /home/Alice/Desktop/tor-0.2.1.25.tar.gz</pre>
154) 
155) <p>After verifying, GnuPG will come back saying something like "Good
156) signature" or "BAD signature". The output should look something like
157) this:</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

158) 
159) <pre>
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

160) gpg: Signature made Tue 16 Mar 2010 05:55:17 AM CET using DSA key ID 28988BF5
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

161) gpg: Good signature from "Roger Dingledine &lt;arma@mit.edu&gt;"
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

162) gpg: WARNING: This key is not certified with a trusted signature!
163) gpg:          There is no indication that the signature belongs to the owner.
164) Primary key fingerprint: B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
165) </pre>
166) 
167) <p>
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

168) Notice that there is a warning because you haven't assigned a trust
169) index to this person. This means that GnuPG verified that the key made
170) that signature, but it's up to you to decide if that key really belongs
171) to the developer. The best method is to meet the developer in person and
172) exchange key fingerprints.
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

173) </p>
174) 
175) <p>For your reference, this is an example of a <em>BAD</em> verification. It
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

176) means that the signature and file contents do not match. In this case,
177) you should not trust the file contents:</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

178) 
179) <pre>
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

180) gpg: Signature made Tue 20 Apr 2010 12:22:32 PM CEST using DSA key ID 28988BF5
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

181) gpg: BAD signature from "Roger Dingledine &lt;arma@mit.edu&gt;"
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

182) </pre>
183) 
184) <p>If you are running Tor on Debian you should read the instructions on
Runa A. Sandvik how to verify signatures in...

Runa A. Sandvik authored 14 years ago

185) <a href="<page docs/debian>#packages">importing these keys to apt</a>.</p>
186) 
187) <p>If you wish to learn more about GPG, see <a
188) href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>.</p>