Browse code

verification: add rudimentary guide for android (#27514)

traumschule authored on07/09/2018 00:16:17
Showing1 changed files
... ...
@@ -158,6 +158,7 @@
158 158
    <label for="ac-2-1"><a name="KeyWindows">&#9658; Windows</a></label>
159 159
    <label for="ac-2-2"><a name="KeyMacOS">&#9658; macOS</a></label>
160 160
    <label for="ac-2-3"><a name="KeyLinux">&#9658; Linux</a></label>
161
+   <label for="ac-2-4"><a name="KeyAndroid">&#9658; Android</a></label>
161 162
    </p>
162 163
 <!-- Windows -->
163 164
   <div>
... ...
@@ -218,6 +219,33 @@
218 219
     system, as most Linux distributions come with it preinstalled.
219 220
     </p>
220 221
 
222
+    <p>
223
+    The next step is to use GnuPG to import the key that signed
224
+    your package. The Tor Browser team signs Tor Browser releases. Import its
225
+    key (0x4E2C6E8793298290) by starting the terminal and typing:</p>
226
+    <pre>
227
+    $ gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
228
+    </pre>
229
+    <p>
230
+   </article>
231
+  </div>
232
+<!-- Android -->
233
+  <div>
234
+   <input id="ac-2-4" name="accordion-2" type="radio" />
235
+   <article class="ac-os">
236
+    <h3>Import OpenPGP key on Android</h3>
237
+
238
+    <p>
239
+    To show the signature of your applications you need the app Checkey. It can
240
+    be installed from
241
+    <a href="https://f-droid.org/en/packages/info.guardianproject.checkey">​F-Droid</a>.
242
+
243
+    <p><!-- TODO copied from linux, needs to be rewritten -->
244
+    You need to have GnuPG installed before you can verify
245
+    signatures. It is probably already installed on your
246
+    system, as most Linux distributions come with it preinstalled.
247
+    </p>
248
+
221 249
     <p>
222 250
     The next step is to use GnuPG to import the key that signed
223 251
     your package. The Tor Browser team signs Tor Browser releases. Import its
... ...
@@ -272,6 +300,7 @@ sub   rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
272 300
    <label for="ac-3-1"><a name="VerifyWindows">&#9658; Windows</a></label>
273 301
    <label for="ac-3-2"><a name="VerifyMacOS">&#9658; macOS</a></label>
274 302
    <label for="ac-3-3"><a name="VerifyLinux">&#9658; Linux</a></label>
303
+   <label for="ac-3-3"><a name="VerifyAndroid">&#9658; Android</a></label>
275 304
    </p>
276 305
    <p>
277 306
    If you haven't already, <a href="<page download/download>">download</a>
... ...
@@ -380,6 +409,43 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
380 409
 
381 410
   </article>
382 411
  </div>
412
+<!-- Android -->
413
+  <div>
414
+   <input id="ac-3-4" name="accordion-3" type="radio" />
415
+   <article class="ac-os">
416
+    <h3>Verify with OpenPGP signature on Android</h3>
417
+
418
+    <p>
419
+    To verify the signature of the package you downloaded, you will need
420
+    to download the ".asc" file as well. Assuming you downloaded the
421
+    package and its signature to your Downloads folder, run:
422
+    </p>
423
+
424
+    <pre>
425
+    $ jarsigner -verify -verbose -certs tor-browser-android-arm-<version-torbrowserbundleandroid>.apk
426
+    </pre>
427
+
428
+    <p>or using <a hef="https://developer.android.com/studio/command-line/apksigner">apksigner</a>:
429
+
430
+    <pre>
431
+    $ apksigner verify --print-certs tor-browser-android-arm-<version-torbrowserbundleandroid>.apk
432
+    </pre>
433
+
434
+    <p>The output should say "Good signature":</p>
435
+    <!-- TODO this is the output i got verifying the signature with gpg -->
436
+    <pre>
437
+gpg: assuming signed data in 'tor-browser-android-arm-1.0a1.apk'
438
+gpg: Signature made Thu 06 Sep 2018 08:38:27 PM CEST
439
+gpg:                using RSA key 0xEB774491D9FF06E2
440
+gpg: Good signature from "Tor Browser Developers (signing key) &lt;torbrowser@torproject.org&gt;" [unknown]
441
+gpg: WARNING: This key is not certified with a trusted signature!
442
+gpg:          There is no indication that the signature belongs to the owner.
443
+Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
444
+     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2
445
+    </pre>
446
+  </article>
447
+ </div>
448
+
383 449
 <!-- END OS specific sections -->
384 450
     <p>
385 451
     Currently valid subkey fingerprints are:
... ...
@@ -556,6 +622,17 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
556 622
     </ul>
557 623
     </article>
558 624
    </div>
625
+<!-- Android -->
626
+  <div>
627
+   <input id="ac-4-4" name="accordion-4" type="radio" />
628
+   <article class="ac-os ac-4-4">
629
+    <h3>Verififcation with a checksum on Android</h3>
630
+
631
+    <p><!-- TODO -->This part needs to be written.
632
+    <a href="https://trac.torproject.org/projects/tor/ticket/27514">Please help!</a>
633
+    </p>
634
+   </article>
635
+  </div>
559 636
    <a class="nav" href="#TOC" title="go up">&uarr;</a>
560 637
   </article><!-- END ac-box -->
561 638
  </div><!-- END step 3 -->