tor-webwml.git

1) ## translation metadata

2) # Revision: $Revision$

3) # Translation-Priority: 2-medium
4) 
5) #include "head.wmi" TITLE="Tor Project: Verifying Signatures" CHARSET="UTF-8"
6) <div id="content" class="clearfix">
7)   <div id="breadcrumbs">

8)     <a href="<page index>">Home &raquo; </a>

9)     <a href="<page docs/verifying-signatures>">Verifying Signatures</a>
10)   </div>

11)   <div id="maincol">

12)     <h1>How to verify signatures for packages</h1>

13)     <hr>

14) 

15)     <p>Each file on <a href="<page download/download>">our download page</a> is accompanied
16)     by a file with the same name as the package and the extension
17)     ".asc". These .asc files are GPG signatures. They allow you to verify
18)     the file you've downloaded is exactly the one that we intended you to

19)     get. For example, tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by
20)     tor-browser-<version-torbrowserbundle>_en-US.exe.asc.</p>

21) 

22)     <p>Of course, you'll need to have our GPG keys in your keyring: if you don't
23)     know the GPG key, you can't be sure that it was really us who signed it. The
24)     signing keys we use are:</p>
25)     <ul>
26)     <li>Roger's (0x28988BF5) typically signs the source code file.</li>
27)     <li>Nick's (0x165733EA, or its subkey 0x8D29319A).</li>

28)     <li>Andrew's (0x31B0974B) typically signed older packages for windows and mac.</li>

29)     <li>Peter's (0x94C09C7F, or its subkey 0xAFA44BDD).</li>

30)     <li>Tomás's (0x9A753A6B) signs current Vidalia release tarballs and tags.</li>
31)     <li>Matt's (0x5FA14861) signed older Vidalia release tarballs.</li>

32)     <li>Damian's (0x9ABBEEC6) signs Arm releases</li>

33)     <li>Jacob's (0xE012B42D).</li>

34)     <li>Erinn's (0x63FEE659) and (0xF1F5C9B5) typically signs all windows, mac, and most linux packages.</li>

35)     <li>Mike's (0xDDC6C0AD) signs the Torbutton xpi.</li>

36)     <li>Karsten's (0xF7C11265) signs the metrics archives and tools.</li>

37)     <li>Robert Hogan's (0x22F6856F) signs torsocks release tarballs and tags.</li>

38)     </ul>

39) 

40)     <h3>Step Zero: Install GnuPG</h3>

41)     <hr>

42)     <p>You need to have GnuPG installed before you can verify
43)     signatures.</p>

44) 

45)     <ul>
46)     <li>Linux: see <a
47)     href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>
48)     or install <i>gnupg</i> from the package management system.</li>
49)     <li>Windows: see <a
50)     href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>. Look
51)     for the "version compiled for MS-Windows" under "Binaries".</li>
52)     <li>Mac: see <a
53)     href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.</li>
54)     </ul>

55) 

56)     <h3>Step One:  Import the keys</h3>

57)     <hr>

58)     <p>The next step is to import the key. This can be done directly from
59)     GnuPG. Make sure you import the correct key. For example, if you

60)     downloaded a Windows package, you will need to import Erinn's key.</p>

61) 

62)     <p><b>Windows:</b></p>
63)     <p>GnuPG for Windows is a command line tool, and you will need to use
64)     <i>cmd.exe</i>. Unless you edit your PATH environment variable, you will
65)     need to tell Windows the full path to the GnuPG program. If you installed GnuPG
66)     with the default values, the path should be something like this: <i>C:\Program
67)     Files\Gnu\GnuPg\gpg.exe</i>.</p>

68) 

69)     <p>To import the key 0x28988BF5, start <i>cmd.exe</i> and type:</p>

70) 

71)     <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre>

72) 

73)     <p><b>Mac and Linux</b></p>
74)     <p>Whether you have a Mac or you run Linux, you will need to use the terminal
75)     to run GnuPG. Mac users can find the terminal under "Applications". If you run
76)     Linux and use Gnome, the terminal should be under "Applications menu" and
77)     "Accessories". KDE users can find the terminal under "Menu" and "System".</p>

78) 

79)     <p>To import the key 0x28988BF5, start the terminal and type:</p>

80) 

81)     <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre>

82) 

83)     <h3>Step Two:  Verify the fingerprints</h3>

84)     <hr>

85)     <p>After importing the key, you will want to verify that the fingerprint is correct.</p>

86) 

87)     <p><b>Windows:</b></p>
88)     <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint (insert keyid here)</pre>

89) 

90)     <p><b>Mac and Linux</b></p>
91)     <pre>gpg --fingerprint (insert keyid here)</pre>

92) 

93)     The fingerprints for the keys should be:

94) 

95)     <pre>
96)     pub   1024D/28988BF5 2000-02-27
97)           Key fingerprint = B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
98)     uid                  Roger Dingledine &lt;arma@mit.edu&gt;

99) 

100)     pub   3072R/165733EA 2004-07-03
101)           Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA
102)     uid                  Nick Mathewson <nickm@alum.mit.edu>
103)     uid                  Nick Mathewson <nickm@wangafu.net>
104)     uid                  Nick Mathewson <nickm@freehaven.net>

105) 

106)     pub  1024D/31B0974B 2003-07-17
107)          Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974B
108)     uid                  Andrew Lewman (phobos) <phobos@rootme.org>
109)     uid                  Andrew Lewman <andrew@lewman.com>
110)     uid                  Andrew Lewman <andrew@torproject.org>
111)     sub   4096g/B77F95F7 2003-07-17

112) 

113)     pub   1024D/94C09C7F 1999-11-10
114)           Key fingerprint = 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F
115)     uid                  Peter Palfrader
116)     uid                  Peter Palfrader <peter@palfrader.org>
117)     uid                  Peter Palfrader <weasel@debian.org>

118) 

119)     pub   1024D/9A753A6B 2009-09-11
120)           Key fingerprint = 553D 7C2C 626E F16F 27F3  30BC 95E3 881D 9A75 3A6B

121)     uid                  Tomás Touceda <chiiph@gmail.com>

122)     sub   1024g/33BE0E5B 2009-09-11
123) 

124)     pub   1024D/5FA14861 2005-08-17
125)           Key fingerprint = 9467 294A 9985 3C9C 65CB  141D AF7E 0E43 5FA1 4861
126)     uid                  Matt Edman <edmanm@rpi.edu>
127)     uid                  Matt Edman <Matt_Edman@baylor.edu>
128)     uid                  Matt Edman <edmanm2@cs.rpi.edu>
129)     sub   4096g/EA654E59 2005-08-17

130) 

131)     pub   1024D/9ABBEEC6 2009-06-17
132)           Key fingerprint = 6827 8CC5 DD2D 1E85 C4E4  5AD9 0445 B7AB 9ABB EEC6

133)     uid                  Damian Johnson (www.atagar.com) <atagar1@gmail.com>
134)     uid                  Damian Johnson <atagar@torproject.org>

135)     sub   2048g/146276B2 2009-06-17
136)     sub   2048R/87F30690 2010-08-07
137) 

138)     pub   4096R/E012B42D 2010-05-07
139)           Key fingerprint = D8C9 AF51 CAA9 CAEA D3D8  9C9E A34F A745 E012 B42D

140)     uid                  Jacob Appelbaum <jacob@appelbaum.net>

141)     uid                  Jacob Appelbaum <jacob@torproject.org>
142)     sub   4096R/7CA91A52 2010-05-07 [expires: 2011-05-07]

143) 

144)     pub   2048R/63FEE659 2003-10-16
145)           Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
146)     uid                  Erinn Clark <erinn@torproject.org>
147)     uid                  Erinn Clark <erinn@debian.org>
148)     uid                  Erinn Clark <erinn@double-helix.org>
149)     sub   2048R/EB399FD7 2003-10-16

150) 

151)     pub   1024D/F1F5C9B5 2010-02-03
152)           Key fingerprint = C2E3 4CFC 13C6 2BD9 2C75  79B5 6B8A AEB1 F1F5 C9B5
153)     uid                  Erinn Clark <erinn@torproject.org>
154)     sub   1024g/7828F26A 2010-02-03

155) 

156)     pub   1024D/DDC6C0AD 2006-07-26
157)           Key fingerprint = BECD 90ED D1EE 8736 7980  ECF8 1B0C A30C DDC6 C0AD
158)     uid                  Mike Perry <mikeperry@fscked.org>
159)     uid                  Mike Perry <mikepery@fscked.org>
160)     sub   4096g/AF0A91D7 2006-07-26

161) 

162)     pub   1024D/F7C11265 2007-03-09 [expires: 2012-03-01]
163)           Key fingerprint = FC8A EEF1 792E EE71 D721  7D47 D0CF 963D F7C1 1265
164)     uid                  Karsten Loesing <karsten.loesing@gmx.net>
165)     sub   2048g/75D85E4B 2007-03-09 [expires: 2012-03-01]
166) 

167)     pub   1024D/22F6856F 2006-08-19
168)           Key fingerprint = DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F

169)     uid                  Robert Hogan <robert@roberthogan.net>

170)     sub   1024g/FC4A9460 2006-08-19
171) 

172)     </pre>

173) 

174)     <h3>Step Three:  Verify the downloaded package</h3>

175)     <hr>

176)     <p> To verify the signature of the package you downloaded, you will need
177)     to download the ".asc" file as well.</p>

178) 

179)     <p>In the following examples, the user Alice downloads packages for
180)     Windows, Mac OS X and Linux and also verifies the signature of each
181)     package. All files are saved on the desktop.</p>

182) 

183)     <p><b>Windows:</b></p>

184)     <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre>

185) 

186)     <p><b>Mac:</b></p>

187)     <pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>.asc /Users/Alice/<file-osx-x86-bundle-stable></pre>

188) 

189)     <p><b>Linux</b></p>

190)     <pre>gpg --verify /home/Alice/Desktop/<file-source-stable>.asc /home/Alice/Desktop/<file-source-stable></pre>

191)     

192) 

193)     <p>After verifying, GnuPG will come back saying something like "Good
194)     signature" or "BAD signature". The output should look something like
195)     this:</p>

196) 

197)     <pre>
198)     gpg: Signature made Tue 16 Mar 2010 05:55:17 AM CET using DSA key ID 28988BF5
199)     gpg: Good signature from "Roger Dingledine &lt;arma@mit.edu&gt;"
200)     gpg: WARNING: This key is not certified with a trusted signature!
201)     gpg:          There is no indication that the signature belongs to the owner.
202)     Primary key fingerprint: B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
203)     </pre>

204) 

205)     <p>
206)     Notice that there is a warning because you haven't assigned a trust
207)     index to this person. This means that GnuPG verified that the key made
208)     that signature, but it's up to you to decide if that key really belongs
209)     to the developer. The best method is to meet the developer in person and
210)     exchange key fingerprints.
211)     </p>

212) 

213)     <p>For your reference, this is an example of a <em>BAD</em> verification. It
214)     means that the signature and file contents do not match. In this case,
215)     you should not trust the file contents:</p>

216) 

217)     <pre>
218)     gpg: Signature made Tue 20 Apr 2010 12:22:32 PM CEST using DSA key ID 28988BF5
219)     gpg: BAD signature from "Roger Dingledine &lt;arma@mit.edu&gt;"
220)     </pre>

221) 

222)     <p><b>RPM-based distributions :</b></p>
223)     <p>In order to manually verify the signatures on the RPM packages, you must use the
224)     <code>rpm</code> tool like so: <br />
225)     
226)     <pre>rpm -K filename.rpm</pre></p>
227)     <p></p>
228)     
229)     <p><b>Debian:</b></p>

230)     <p>If you are running Tor on Debian you should read the instructions on
231)     <a href="<page docs/debian>#packages">importing these keys to apt</a>.</p>

232) 

233)     <p>If you wish to learn more about GPG, see <a
234)     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>.</p>
235)   </div>
236)   <!-- END MAINCOL -->
237)   <div id = "sidecol">
238) #include "side.wmi"
239) #include "info.wmi"
240)   </div>
241)   <!-- END SIDECOL -->
242) </div>
243) <!-- END CONTENT -->