Bug 13407: Update signature verification
Georg Koppen

Georg Koppen commited on 2015-02-24 13:50:53
Zeige 1 geänderte Dateien mit 26 Einfügungen und 30 Löschungen.

... ...
@@ -53,8 +53,8 @@
53 53
     package and the extension ".asc". These .asc files are GPG
54 54
     signatures. They allow you to verify the file you've downloaded
55 55
     is exactly the one that we intended you to get. For example,
56
-    tor-browser-2.3.25-13_en-US.exe is accompanied by
57
-    tor-browser-2.3.25-13_en-US.exe.asc. For a list
56
+    torbrowser-install-<version-torbrowserbundle>_en-US.exe is accompanied by
57
+    torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc. For a list
58 58
     of which developer signs which package, see our <a href="<page docs/signing-keys>">signing keys</a> page.</p>
59 59
     <h3>Windows</h3>
60 60
     <hr>
... ...
@@ -67,20 +67,20 @@
67 67
     you will need to tell Windows the full path to the GnuPG program. If
68 68
     you installed GnuPG with the default values, the path should be
69 69
     something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
70
-    <p>Erinn Clark signs the Tor Browsers. Import her key
71
-    (0x416F061063FEE659) by starting <i>cmd.exe</i> and typing:</p>
72
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
70
+    <p>The Tor Browser team signs the Tor Browsers. Import its key
71
+    (0x4E2C6E8793298290) by starting <i>cmd.exe</i> and typing:</p>
72
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
73 73
     <p>After importing the key, you can verify that the fingerprint
74 74
     is correct:</p>
75
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x416F061063FEE659</pre>
75
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --fingerprint 0x4E2C6E8793298290</pre>
76 76
     <p>You should see:</p>
77 77
     <pre>
78
-    pub   2048R/63FEE659 2003-10-16
79
-          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
80
-    uid                  Erinn Clark &lt;erinn@torproject.org&gt;
81
-    uid                  Erinn Clark &lt;erinn@debian.org&gt;
82
-    uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
83
-    sub   2048R/EB399FD7 2003-10-16
78
+    pub   4096R/93298290 2014-12-15
79
+          Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
80
+    uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
81
+    sub   4096R/F65C2036 2014-12-15
82
+    sub   4096R/D40814E0 2014-12-15
83
+    sub   4096R/589839A3 2014-12-15
84 84
 </pre>
85 85
     <p>To verify the signature of the package you downloaded, you will need
86 86
     to download the ".asc" file as well. Assuming you downloaded the
... ...
@@ -88,13 +88,11 @@
88 88
     <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
89 89
     <p>The output should say "Good signature": </p>
90 90
     <pre>
91
-    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
92
-    gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
93
-    gpg:                 aka "Erinn Clark &lt;erinn@debian.org&gt;"
94
-    gpg:                 aka "Erinn Clark &lt;erinn@double-helix.org&gt;"
91
+    gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
92
+    gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
95 93
     gpg: WARNING: This key is not certified with a trusted signature!
96 94
     gpg:          There is no indication that the signature belongs to the owner.
97
-    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
95
+    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
98 96
     </pre>
99 97
     <p>
100 98
     Notice that there is a warning because you haven't assigned a trust
... ...
@@ -118,21 +116,21 @@
118 116
     key (0x416F061063FEE659) by starting the terminal (under "Applications"
119 117
     in Mac OS X) and typing:</p>
120 118
 
121
-    <pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659</pre>
119
+    <pre>gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290</pre>
122 120
 
123 121
     <p>After importing the key, you can verify that the fingerprint
124 122
     is correct:</p>
125 123
 
126
-    <pre>gpg --fingerprint 0x416F061063FEE659</pre>
124
+    <pre>gpg --fingerprint 0x4E2C6E8793298290</pre>
127 125
 
128 126
     <p>You should see:</p>
129 127
     <pre>
130
-    pub   2048R/63FEE659 2003-10-16
131
-          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
132
-    uid                  Erinn Clark &lt;erinn@torproject.org&gt;
133
-    uid                  Erinn Clark &lt;erinn@debian.org&gt;
134
-    uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
135
-    sub   2048R/EB399FD7 2003-10-16
128
+    pub   4096R/93298290 2014-12-15
129
+          Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
130
+    uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>
131
+    sub   4096R/F65C2036 2014-12-15
132
+    sub   4096R/D40814E0 2014-12-15
133
+    sub   4096R/589839A3 2014-12-15
136 134
     </pre>
137 135
 
138 136
     <p>To verify the signature of the package you downloaded, you will need
... ...
@@ -148,13 +146,11 @@
148 146
     <p>The output should say "Good signature": </p>
149 147
 
150 148
     <pre>
151
-    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
152
-    gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
153
-    gpg:                 aka "Erinn Clark &lt;erinn@debian.org&gt;"
154
-    gpg:                 aka "Erinn Clark &lt;erinn@double-helix.org&gt;"
149
+    gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
150
+    gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
155 151
     gpg: WARNING: This key is not certified with a trusted signature!
156 152
     gpg:          There is no indication that the signature belongs to the owner.
157
-    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
153
+    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
158 154
     </pre>
159 155
 
160 156
     <p>
161 157