verification: add rudimentary guide for android (#27514)
traumschule commited on 2018-09-10 09:55:43
Zeige 1 geänderte Dateien mit 77 Einfügungen und 0 Löschungen.
- docs/en/verifying-signatures.wml 2520538c8..320572b97
| ... | ... |
@@ -158,6 +158,7 @@ |
| 158 | 158 |
<label for="ac-2-1"><a name="KeyWindows">► Windows</a></label> |
| 159 | 159 |
<label for="ac-2-2"><a name="KeyMacOS">► macOS</a></label> |
| 160 | 160 |
<label for="ac-2-3"><a name="KeyLinux">► Linux</a></label> |
| 161 |
+ <label for="ac-2-4"><a name="KeyAndroid">► Android</a></label> |
|
| 161 | 162 |
</p> |
| 162 | 163 |
<!-- Windows --> |
| 163 | 164 |
<div> |
| ... | ... |
@@ -218,6 +219,33 @@ |
| 218 | 219 |
system, as most Linux distributions come with it preinstalled. |
| 219 | 220 |
</p> |
| 220 | 221 |
|
| 222 |
+ <p> |
|
| 223 |
+ The next step is to use GnuPG to import the key that signed |
|
| 224 |
+ your package. The Tor Browser team signs Tor Browser releases. Import its |
|
| 225 |
+ key (0x4E2C6E8793298290) by starting the terminal and typing:</p> |
|
| 226 |
+ <pre> |
|
| 227 |
+ $ gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 |
|
| 228 |
+ </pre> |
|
| 229 |
+ <p> |
|
| 230 |
+ </article> |
|
| 231 |
+ </div> |
|
| 232 |
+<!-- Android --> |
|
| 233 |
+ <div> |
|
| 234 |
+ <input id="ac-2-4" name="accordion-2" type="radio" /> |
|
| 235 |
+ <article class="ac-os"> |
|
| 236 |
+ <h3>Import OpenPGP key on Android</h3> |
|
| 237 |
+ |
|
| 238 |
+ <p> |
|
| 239 |
+ To show the signature of your applications you need the app Checkey. It can |
|
| 240 |
+ be installed from |
|
| 241 |
+ <a href="https://f-droid.org/en/packages/info.guardianproject.checkey">F-Droid</a>. |
|
| 242 |
+ |
|
| 243 |
+ <p><!-- TODO copied from linux, needs to be rewritten --> |
|
| 244 |
+ You need to have GnuPG installed before you can verify |
|
| 245 |
+ signatures. It is probably already installed on your |
|
| 246 |
+ system, as most Linux distributions come with it preinstalled. |
|
| 247 |
+ </p> |
|
| 248 |
+ |
|
| 221 | 249 |
<p> |
| 222 | 250 |
The next step is to use GnuPG to import the key that signed |
| 223 | 251 |
your package. The Tor Browser team signs Tor Browser releases. Import its |
| ... | ... |
@@ -272,6 +300,7 @@ sub rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12] |
| 272 | 300 |
<label for="ac-3-1"><a name="VerifyWindows">► Windows</a></label> |
| 273 | 301 |
<label for="ac-3-2"><a name="VerifyMacOS">► macOS</a></label> |
| 274 | 302 |
<label for="ac-3-3"><a name="VerifyLinux">► Linux</a></label> |
| 303 |
+ <label for="ac-3-3"><a name="VerifyAndroid">► Android</a></label> |
|
| 275 | 304 |
</p> |
| 276 | 305 |
<p> |
| 277 | 306 |
If you haven't already, <a href="<page download/download>">download</a> |
| ... | ... |
@@ -380,6 +409,43 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 |
| 380 | 409 |
|
| 381 | 410 |
</article> |
| 382 | 411 |
</div> |
| 412 |
+<!-- Android --> |
|
| 413 |
+ <div> |
|
| 414 |
+ <input id="ac-3-4" name="accordion-3" type="radio" /> |
|
| 415 |
+ <article class="ac-os"> |
|
| 416 |
+ <h3>Verify with OpenPGP signature on Android</h3> |
|
| 417 |
+ |
|
| 418 |
+ <p> |
|
| 419 |
+ To verify the signature of the package you downloaded, you will need |
|
| 420 |
+ to download the ".asc" file as well. Assuming you downloaded the |
|
| 421 |
+ package and its signature to your Downloads folder, run: |
|
| 422 |
+ </p> |
|
| 423 |
+ |
|
| 424 |
+ <pre> |
|
| 425 |
+ $ jarsigner -verify -verbose -certs tor-browser-android-arm-<version-torbrowserbundleandroid>.apk |
|
| 426 |
+ </pre> |
|
| 427 |
+ |
|
| 428 |
+ <p>or using <a hef="https://developer.android.com/studio/command-line/apksigner">apksigner</a>: |
|
| 429 |
+ |
|
| 430 |
+ <pre> |
|
| 431 |
+ $ apksigner verify --print-certs tor-browser-android-arm-<version-torbrowserbundleandroid>.apk |
|
| 432 |
+ </pre> |
|
| 433 |
+ |
|
| 434 |
+ <p>The output should say "Good signature":</p> |
|
| 435 |
+ <!-- TODO this is the output i got verifying the signature with gpg --> |
|
| 436 |
+ <pre> |
|
| 437 |
+gpg: assuming signed data in 'tor-browser-android-arm-1.0a1.apk' |
|
| 438 |
+gpg: Signature made Thu 06 Sep 2018 08:38:27 PM CEST |
|
| 439 |
+gpg: using RSA key 0xEB774491D9FF06E2 |
|
| 440 |
+gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown] |
|
| 441 |
+gpg: WARNING: This key is not certified with a trusted signature! |
|
| 442 |
+gpg: There is no indication that the signature belongs to the owner. |
|
| 443 |
+Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 |
|
| 444 |
+ Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2 |
|
| 445 |
+ </pre> |
|
| 446 |
+ </article> |
|
| 447 |
+ </div> |
|
| 448 |
+ |
|
| 383 | 449 |
<!-- END OS specific sections --> |
| 384 | 450 |
<p> |
| 385 | 451 |
Currently valid subkey fingerprints are: |
| ... | ... |
@@ -556,6 +622,17 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 |
| 556 | 622 |
</ul> |
| 557 | 623 |
</article> |
| 558 | 624 |
</div> |
| 625 |
+<!-- Android --> |
|
| 626 |
+ <div> |
|
| 627 |
+ <input id="ac-4-4" name="accordion-4" type="radio" /> |
|
| 628 |
+ <article class="ac-os ac-4-4"> |
|
| 629 |
+ <h3>Verififcation with a checksum on Android</h3> |
|
| 630 |
+ |
|
| 631 |
+ <p><!-- TODO -->This part needs to be written. |
|
| 632 |
+ <a href="https://trac.torproject.org/projects/tor/ticket/27514">Please help!</a> |
|
| 633 |
+ </p> |
|
| 634 |
+ </article> |
|
| 635 |
+ </div> |
|
| 559 | 636 |
<a class="nav" href="#TOC" title="go up">↑</a> |
| 560 | 637 |
</article><!-- END ac-box --> |
| 561 | 638 |
</div><!-- END step 3 --> |
| 562 | 639 |