Update advanced verification instructions
Georg Koppen commited on 2015-05-13 14:20:10
Zeige 1 geänderte Dateien mit 13 Einfügungen und 11 Löschungen.
- docs/en/verifying-signatures.wml 64fc5e368..87400629d
| ... | ... |
@@ -200,11 +200,12 @@ |
| 200 | 200 |
<p>The steps below walk through this process:</p> |
| 201 | 201 |
|
| 202 | 202 |
<ul> |
| 203 |
- <li>Download the Tor Browser package, the sha256sums.txt file, and the |
|
| 204 |
- sha256sums signature files. They can all be found in the same directory |
|
| 205 |
- under <a href="https://www.torproject.org/dist/torbrowser/"> |
|
| 206 |
- https://www.torproject.org/dist/torbrowser/</a>, for example in '3.6.1' |
|
| 207 |
- for TBB 3.6.1.</li> |
|
| 203 |
+ <li>Download the Tor Browser package, the <tt>sha256sums-unsigned-build.txt</tt> |
|
| 204 |
+ file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file. |
|
| 205 |
+ They can all be found in the same directory under |
|
| 206 |
+ <a href="https://www.torproject.org/dist/torbrowser/"> |
|
| 207 |
+ https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1' |
|
| 208 |
+ for Tor Browser 4.5.1.</li> |
|
| 208 | 209 |
<li>Retrieve the signers' GPG keys. This can be done from the command |
| 209 | 210 |
line by entering something like |
| 210 | 211 |
<pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre> |
| ... | ... |
@@ -213,8 +214,9 @@ |
| 213 | 214 |
developers' key IDs can be found on |
| 214 | 215 |
<a href="<page docs/signing-keys>">this |
| 215 | 216 |
page</a>.)</li> |
| 216 |
- <li>Verify the sha256sums.txt file by executing this command: |
|
| 217 |
- <pre>gpg --verify <NAME OF THE SIGNATURE FILE>.asc sha256sums.txt</pre></li> |
|
| 217 |
+ <li>Verify the sha256sums-unsigned-build.txt file by executing this |
|
| 218 |
+ command: |
|
| 219 |
+ <pre>gpg --verify sha256sums-unsigned-build.txt.asc sha256sums-unsigned-build.txt</pre></li> |
|
| 218 | 220 |
<li>You should see a message like "Good signature from <DEVELOPER |
| 219 | 221 |
NAME>". If you don't, there is a problem. Try these steps again.</li> |
| 220 | 222 |
<li>If you want to verify a Windows Tor Browser package you need to first |
| ... | ... |
@@ -230,7 +232,7 @@ |
| 230 | 232 |
<pre>C:\location\where\you\saved\hashdeep -c sha256sum <TOR BROWSER FILE NAME>.exe</pre> |
| 231 | 233 |
On Mac or Linux you can run <pre>sha256sum <TOR BROWSER FILE NAME>.dmg</pre> or <pre>sha256sum <TOR BROWSER FILE NAME>.tar.gz</pre> without having to download a utility.</li> |
| 232 | 234 |
<li>You will see a string of letters and numbers.</li> |
| 233 |
- <li>Open sha256sums.txt in a text editor.</li> |
|
| 235 |
+ <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li> |
|
| 234 | 236 |
<li>Locate the name of the Tor Browser file you downloaded.</li> |
| 235 | 237 |
<li>Compare the string of letters and numbers to the left of your |
| 236 | 238 |
filename with the string of letters and numbers that appeared |
| ... | ... |
@@ -263,9 +265,9 @@ |
| 263 | 265 |
unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip |
| 264 | 266 |
mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre> |
| 265 | 267 |
<p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt> |
| 266 |
- with the one provided in the <tt>sha265sums.txt</tt> or |
|
| 267 |
- <tt>sha256sums.incremental.txt</tt> as outlined in <a href="#BuildVerification">Verifying |
|
| 268 |
- sha256sums (advancded)</a> above.</p> |
|
| 268 |
+ with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or |
|
| 269 |
+ <tt>sha256sums-unsigned-build.incremental.txt</tt> as outlined in |
|
| 270 |
+ <a href="#BuildVerification">Verifying sha256sums (advancded)</a> above.</p> |
|
| 269 | 271 |
|
| 270 | 272 |
</div> |
| 271 | 273 |
<!-- END MAINCOL --> |
| 272 | 274 |