docs/en/verifying-signatures.wml (7eb0bbcb9) - tor-webwml.git

verifying-signatures.wml

## translation metadata
# Revision: $Revision$
# Translation-Priority: 2-medium

#include "head.wmi" TITLE="Tor Project: Verifying Signatures" CHARSET="UTF-8"
<div id="content" class="clearfix">
  <div id="breadcrumbs">
    <a href="<page index>">Home &raquo; </a>
    <a href="<page docs/verifying-signatures>">Verifying Signatures</a>
  </div>
  <div id="maincol">
    <h1>How to verify signatures for packages</h1>
    <hr>

<p>Each file on <a href="<page download/download>">our download
    page</a> is accompanied by a file with the same name as the
    package and the extension ".asc". These .asc files are GPG
    signatures. They allow you to verify the file you've downloaded
    is exactly the one that we intended you to get. For example,
    tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by
    tor-browser-<version-torbrowserbundle>_en-US.exe.asc.</p>

<h3>Windows</h3>
    <hr>

<p>You need to have GnuPG installed
    before you can verify signatures. Go to <a
    href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>
    and look for the "version compiled for MS-Windows" under "Binaries".</p>

<p>Once it's installed, use GnuPG to import the key that signed your
    package. Since GnuPG for Windows is a command-line tool, you will need
    to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
    you will need to tell Windows the full path to the GnuPG program. If
    you installed GnuPG with the default values, the path should be
    something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>

<p>Erinn Clark signs the Tor Browser Bundles. Import her key
    (0x63FEE659) by starting <i>cmd.exe</i> and typing:</p>

<pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>

<p>After importing the key, you can verify that the fingerprint
    is correct:</p>

<pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint 0x63FEE659</pre>

<p>You should see:</p>
    <pre>
    pub   2048R/63FEE659 2003-10-16
          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
    uid                  Erinn Clark &lt;erinn@torproject.org&gt;
    uid                  Erinn Clark &lt;erinn@debian.org&gt;
    uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
    sub   2048R/EB399FD7 2003-10-16
</pre>

<p>To verify the signature of the package you downloaded, you will need
    to download the ".asc" file as well. Assuming you downloaded the
    package and its signature to your Desktop, run:</p>

<pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre>

<p>The output should say "Good signature": </p>

<pre>
    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
    gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
    gpg:                 aka "Erinn Clark &lt;erinn@debian.org&gt;"
    gpg:                 aka "Erinn Clark &lt;erinn@double-helix.org&gt;"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
    </pre>

<p>
    Notice that there is a warning because you haven't assigned a trust
    index to this person. This means that GnuPG verified that the key made
    that signature, but it's up to you to decide if that key really belongs
    to the developer. The best method is to meet the developer in person and
    exchange key fingerprints.
    </p>

<p>You need to have GnuPG installed before you can verify
    signatures. You can install it from <a
    href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.
    </p>

<p>Once it's installed, use GnuPG to import the key that signed
    your package. Erinn Clark signs the Tor Browser Bundles. Import her
    key (0x63FEE659) by starting the terminal (under "Applications")
    and typing:</p>

<pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>

<p>After importing the key, you can verify that the fingerprint
    is correct:</p>

<pre>gpg --fingerprint 0x63FEE659</pre>

<p>To verify the signature of the package you downloaded, you will need
    to download the ".asc" file as well. Assuming you downloaded the
    package and its signature to your Desktop, run:</p>

<pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>.asc /Users/Alice/<file-osx-x86-bundle-stable></pre>

<p>The output should say "Good signature": </p>

<h3>Linux</h3>
    <hr>

<p>For <b>RPM-based distributions</b> you can manually verify the
    signatures on the RPM packages by:</p>
    <pre>rpm -K filename.rpm</pre>

<p>For <b>Debian</b>, you should read the instructions on <a
    href="<page docs/debian>#packages">importing these keys to
    apt</a>.</p>

<p>If you wish to learn more about GPG, see <a
    href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>.</p>

</div>
  
  <div id = "sidecol">
#include "side.wmi"
#include "info.wmi"
  </div>
  
</div>

#include <foot.wmi>

tor-webwml.git

the verifying signatures page is now less awful