tor-webwml.git

@@ -36,7 +36,7 @@

     you're talking to the Tor website with https when you're not.</p>

     <p>Some software sites list <a

-    href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1

+    href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1

     hashes</a> alongside the software on their website, so users can

     verify that they downloaded the file without any errors. These

     "checksums" help you answer the question "Did I download this file

@@ -60,7 +60,7 @@

     <hr>

     <p>You need to have GnuPG installed before

     you can verify signatures. Download it from <a

-    href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>

+    href="https://gpg4win.org/download.html">https://gpg4win.org/download.html</a>.</p>

     <p>Once it's installed, use GnuPG to import the key that signed your

     package. Since GnuPG for Windows is a command-line tool, you will need

     to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,

@@ -80,7 +80,6 @@

     uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>

     sub   4096R/F65C2036 2014-12-15

     sub   4096R/D40814E0 2014-12-15

-    sub   4096R/589839A3 2014-12-15

 </pre>

     <p>To verify the signature of the package you downloaded, you will need

     to download the ".asc" file as well. Assuming you downloaded the

@@ -96,8 +95,7 @@

     <p>Currently valid subkey fingerprints are:

     <pre>

     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036

-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0

-    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>

+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>

     <p>

     Notice that there is a warning because you haven't assigned a trust

     index to this person. This means that GnuPG verified that the key made

@@ -110,7 +108,7 @@

     <p>You need to have GnuPG installed before you can verify

     signatures. If you are using Mac OS X, you can install it from <a

-    href="http://www.gpgtools.org/">http://www.gpgtools.org/</a>. If you

+    href="https://www.gpgtools.org/">https://www.gpgtools.org/</a>. If you

     are using Linux, then it's probably you already have GnuPG in your

     system, as most Linux distributions come with it preinstalled.

     </p>

@@ -133,16 +131,13 @@

           Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     uid                  Tor Browser Developers (signing key) <torbrowser@torproject.org>

     sub   4096R/F65C2036 2014-12-15

-    sub   4096R/D40814E0 2014-12-15

-    sub   4096R/589839A3 2014-12-15

-    </pre>

-

+    sub   4096R/D40814E0 2014-12-15</pre>

     <p>To verify the signature of the package you downloaded, you will need

     to download the ".asc" file as well. Assuming you downloaded the

-    package and its signature to your Desktop, run:</p>

+    package and its signature to your Downloads folder, run:</p>

     <strong>For Mac OS X users</strong>:<br />

-    <pre>gpg --verify ~/Desktop/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>

+    <pre>gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>-osx64_en-US.dmg{.asc*,}</pre>

     <strong>For Linux users</strong> (change 32 to 64 if you have the 64-bit package):<br />

     <pre>gpg --verify ~/Desktop/tor-browser-linux32-<version-torbrowserbundlelinux32>_en-US.tar.xz{.asc*,}</pre>

@@ -157,8 +152,7 @@

     Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290</pre> <p> Currently valid subkey fingerprints are:

     <pre>

     5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036

-    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0

-    05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3</pre></p>

+    BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0</pre></p>

     <p>

     Notice that there is a warning because you haven't assigned a trust

     index to this person. This means that GnuPG verified that the key made

@@ -177,7 +171,7 @@

     </p>

     <p>See <a

-    href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>

+    href="https://www.gnupg.org/documentation/">https://www.gnupg.org/documentation/</a>

     to learn more about GnuPG.</p>

     <hr>

@@ -204,14 +198,16 @@

       file, and the <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.

       They can all be found in the same directory under

       <a href="https://www.torproject.org/dist/torbrowser/">

-      https://www.torproject.org/dist/torbrowser/</a>, for example in '4.5.1'

-      for Tor Browser 4.5.1.</li>

+      https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux32>'

+      for Tor Browser <version-torbrowserbundlelinux32>.</li>

+      <li>In case your operating system is adding the .txt extension

+      automatically to the SHA256 sums signature file strip it again by running

+      <pre>mv sha256sums-unsigned-build.txt.asc.txt sha256sums-unsigned-build.txt.asc</pre>

       <li>Retrieve the signers' GPG keys. This can be done from the command

       line by entering something like

       <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x4E2C6E8793298290</pre>

       (This will bring you the public part of the Tor Browser developers'

-       signing key. Other

-      developers' key IDs can be found on

+       signing key. Other developers' key IDs can be found on

       <a href="<page docs/signing-keys>">this

       page</a>.)</li>

       <li>Verify the sha256sums-unsigned-build.txt file by executing this

@@ -230,7 +226,7 @@

       Windows you can use the <a href="http://md5deep.sourceforge.net/">

       hashdeep utility</a> and run

       <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>

-      On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>

+      On Mac or Linux you can run <pre>shasum -a 256 &lt;TOR BROWSER FILE NAME&gt;.dmg</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>

       <li>You will see a string of letters and numbers.</li>

       <li>Open <tt>sha256sums-unsigned-build.txt</tt> in a text editor.</li>

       <li>Locate the name of the Tor Browser file you downloaded.</li>

@@ -241,7 +237,7 @@

     </ul>

     <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a>

-    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>

+    to <a href="https://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a>

     these steps have been written, but to use them you will need to modify

     them yourself with the latest Tor Browser filename.</p>

@@ -263,6 +259,7 @@

     <pre>

     cd /path/to/MAR/file

     unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip

+    export LD_LIBRARY_PATH=/path/to/MAR/file/mar-tools

     mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>

     <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>

     with the one provided in the <tt>sha265sums-unsigned-build.txt</tt> or