a436fa29851fc7b60a587946bfd3ba078f5974e1
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

1) ## translation metadata
2) # Revision: $Revision$
Sebastian Hahn 2-medium is an actual trans...

Sebastian Hahn authored 15 years ago

3) # Translation-Priority: 2-medium
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

4) 
5) #include "head.wmi" TITLE="Verifying Signatures" CHARSET="UTF-8"
6) 
7) <div class="main-column">
8) 
9) <h2>Verifying signatures on released files</h2>
10) <hr />
11) 
12) <p>Each file on <a href="<page download>">our download page</a> is accompanied
13) by a file with the same name and the extension ".asc".</p>
14) 
15) <p>These are PGP signatures, so you can verify that the file you've downloaded
16) is exactly the one that we intended you to get.</p>
17) 
18) <p>Of course, you'll need to have our pgp keys in your keyring: if you don't
19) know the pgp key, you can't be sure that it was really us who signed it. The
20) signing keys we use are Roger's (0x28988BF5) and Nick's (0x165733EA, or its
21) subkey 0x8D29319A). Some binary packages may also be signed by Andrew's
Jacob Appelbaum Add my gpg key info to the...

Jacob Appelbaum authored 15 years ago

22) (0x31B0974B), Peter's (0x94C09C7F, or its subkey 0xAFA44BDD), Matt's
23) (0x5FA14861), or Jacob's (0x9D0FACE4).</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

24) 
25) <p>You can import keys directly from GnuPG as well:</p>
26) 
27) <pre>gpg --keyserver subkeys.pgp.net --recv-keys 0x28988BF5</pre>
28) 
29) <p>or search for keys with</p>
30) 
Roger Dingledine fix a broken <pre> section

Roger Dingledine authored 15 years ago

31) <pre>gpg --keyserver subkeys.pgp.net --search-keys 0x28988BF5</pre>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

32) 
33) <p>and when you select one, it will be added to your keyring.</p>
34) 
35) <p>The fingerprints for the keys should be:</p>
36) 
37) <pre>
38) pub   1024D/28988BF5 2000-02-27
39)       Key fingerprint = B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

40) uid                  Roger Dingledine &lt;arma@mit.edu&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

41) 
42) pub   3072R/165733EA 2004-07-03
43)       Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

44) uid                  Nick Mathewson &lt;nickm@alum.mit.edu&gt;
45) uid                  Nick Mathewson &lt;nickm@wangafu.net&gt;
46) uid                  Nick Mathewson &lt;nickm@freehaven.net&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

47) 
48) pub  1024D/31B0974B 2003-07-17
49)      Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974B
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

50) uid                  Andrew Lewman (phobos) &lt;phobos@rootme.org&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

51) 
52) pub   1024D/94C09C7F 1999-11-10
53)       Key fingerprint = 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F
54) uid                  Peter Palfrader
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

55) uid                  Peter Palfrader &lt;peter@palfrader.org&gt;
56) uid                  Peter Palfrader &lt;weasel@debian.org&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

57) 
58) pub   1024D/5FA14861 2005-08-17
59)       Key fingerprint = 9467 294A 9985 3C9C 65CB  141D AF7E 0E43 5FA1 4861
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

60) uid                  Matt Edman &lt;edmanm@rpi.edu&gt;
61) uid                  Matt Edman &lt;Matt_Edman@baylor.edu&gt;
62) uid                  Matt Edman &lt;edmanm2@cs.rpi.edu&gt;
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

63) sub   4096g/EA654E59 2005-08-17
Jacob Appelbaum Add my gpg key info to the...

Jacob Appelbaum authored 15 years ago

64) 
65) pub   1024D/9D0FACE4 2008-03-11 [expires: 2010-03-11]
66)       Key fingerprint = 12E4 04FF D3C9 31F9 3405  2D06 B884 1A91 9D0F ACE4
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

67) uid                  Jacob Appelbaum &lt;jacob@appelbaum.net&gt;
Jacob Appelbaum Add my gpg key info to the...

Jacob Appelbaum authored 15 years ago

68) sub   4096g/D5E87583 2008-03-11 [expires: 2010-03-11]
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

69) </pre>
70) 
71) <p>(Of course if you want to be really certain that those are the real ones
Sebastian Hahn Start cleanup of the verify...

Sebastian Hahn authored 15 years ago

72) then you should check this from more places or even better get into key signing
73) and build a trust path to those keys.)</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

74) 
75) <p>If you're using GnuPG, then put the .asc and the download in the same
Sebastian Hahn Start cleanup of the verify...

Sebastian Hahn authored 15 years ago

76) directory and type "gpg --verify (whatever).asc (whatever)". It will say
77) something like "Good signature" or "BAD signature" using the following type of
78) command:</p>
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

79) 
80) <pre>
Sebastian Hahn Start cleanup of the verify...

Sebastian Hahn authored 15 years ago

81) gpg --verify tor-0.1.0.17.tar.gz.asc tor-0.1.0.17.tar.gz
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

82) gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

83) gpg: Good signature from "Roger Dingledine &lt;arma@mit.edu&gt;"
84) gpg:                 aka "Roger Dingledine &lt;arma@mit.edu&gt;"
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

85) gpg: WARNING: This key is not certified with a trusted signature!
86) gpg:          There is no indication that the signature belongs to the owner.
87) Primary key fingerprint: B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
88) </pre>
89) 
90) <p>
91) Notice that there is a warning because you haven't assigned a trust index to
92) this user. This means that your program verified the key made that signature.
93) It's up to the user to decide if that key really belongs to the developers. The
94) best method is to meet them in person and exchange gpg fingerprints. Keys can
Sebastian Hahn Start cleanup of the verify...

Sebastian Hahn authored 15 years ago

95) also be signed. If you look up Roger or Nick's keys, other people have
96) essentially said "we have verified this is Roger/Nick". So if you trust that
Sebastian Hahn Move the "Verifying Singatu...

Sebastian Hahn authored 15 years ago

97) third party, then you have a level of trust for that arma/nick.
98) </p>
99) 
100) <p>All this means is you can ignore the message or assign a trust level.</p>
101) 
102) <p>For your reference, this is an example of a <em>BAD</em> verification. It
103) means that the signature and file contents do not match:</p>
104) 
105) <pre>
106) gpg --verify tor-0.1.0.17.tar.gz.asc
107) gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5
Bogdan Drozdowski Mainetance/polish translati...

Bogdan Drozdowski authored 15 years ago

108) gpg: BAD signature from "Roger Dingledine &lt;arma@mit.edu&gt;"