tor-webwml.git

@@ -199,8 +199,8 @@

     <p>The next step is to use GnuPG to import the key that signed

     your package. The Tor Browser team signs Tor Browser releases. Import its

-    key (0x4E2C6E8793298290) by starting the terminal under "Applications"

-    and typing:</p>

+    key (0x4E2C6E8793298290) by starting the terminal under

+    "Applications/Utilities" and typing:</p>

     <pre>

     $ gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

     </pre>

@@ -214,7 +214,7 @@

     <h3>Import OpenPGP key on Linux</h3>

     <p>

     You need to have GnuPG installed before you can verify

-    signatures. It's probably GnuPG is alreadyy installed on your

+    signatures. It is probably already installed on your

     system, as most Linux distributions come with it preinstalled.

     </p>

@@ -228,6 +228,7 @@

     <p>

    </article>

   </div>

+<!-- all OS -->

   <div>

     <p>

     After importing the key, you can verify that the fingerprint

@@ -248,8 +249,8 @@ sub   rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]

     </pre>

     <a class="nav" href="#TOC" title="go up">&uarr;</a>

   </div>

- </article><!-- END Import -->

-</div>

+ </article><!-- END ac-box -->

+</div><!-- END step 1 -->

 <!-- Verifiy with OpenPGP signature -->

 <div>

@@ -315,6 +316,11 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     package and its signature to your Downloads folder, run:

     </p>

+    <p>

+    The easiest way to verify an "asc" file is to open it by double-clicking

+    on it, or using the keying command-O. Alternatively type into the terminal:

+    </p>

+

     <pre>

     $ gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>_en-US.dmg{.asc*,}

     </pre>

@@ -322,7 +328,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     <p>The output should say "Good signature":</p>

     <pre>

-gpg: assuming signed data in 'tor-browser-osx64-<version-torbrowserbundleosx64>_en-US.tar.xz'

+gpg: assuming signed data in 'TorBrowser-<version-torbrowserbundleosx64>_en-US.dmg'

 gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET

 gpg:                using RSA key 0xD1483FA6C3C07136

 gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]

@@ -338,6 +344,15 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

    <input id="ac-3-3" name="accordion-3" type="radio" />

    <article class="ac-os">

     <h3>Verify with OpenPGP signature on Linux</h3>

+

+    <p>For Tor (not Tor Browser) packages:

+    On <b>Debian</b> you should read the instructions on

+    <a href="<page docs/debian>#packages">importing these keys to apt</a>

+    to use our package repository instead.

+    If you're using the <b>RPMs</b>, you can manually verify the signatures by

+    <pre>rpm -K filename.rpm</pre>

+    </p>

+

     <p>

     To verify the signature of the package you downloaded, you will need

     to download the ".asc" file as well. Assuming you downloaded the

@@ -363,15 +378,6 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

      Subkey fingerprint: A430 0A6B C93C 0877 A445  1486 D148 3FA6 C3C0 7136

     </pre>

-    <p>

-    On <b>Debian</b> for Tor (not Tor Browser) packages, you should read the

-    instructions on

-    <a href="<page docs/debian>#packages">importing these keys to apt</a>.

-    If you're using the <b>RPMs</b> (for Tor, not Tor Browser), you can

-    manually verify the signatures on the RPM packages by

-    <pre>rpm -K filename.rpm</pre>

-    </p>

-

   </article>

  </div>

 <!-- END OS specific sections -->

@@ -387,8 +393,8 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     Notice that there is a warning because you haven't assigned a trust

     index to this person. This means that GnuPG verified that the key made

     that signature, but it's up to you to decide if that key really belongs

-    to the developer. The best method is to meet the developer in person and

-    exchange key fingerprints.

+    to the developer. As international travel to meet the developer might be

+    unfeasable you are left with trusting other people who signed this key.

     </p>

     <p>To learn more about GnuPG see

@@ -396,15 +402,16 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     </p>

     <a class="nav" href="#TOC" title="go up">&uarr;</a>

-  </article>

- </div>

+  </article><!-- END ac-box -->

+ </div><!-- END step 2 -->

 <!-- Verify checksums -->

  <div>

   <input id="ac-4" name="accordion-4" type="checkbox" />

    <label for="ac-4">

     <a class="nav" title="link here" href="#ChecksumVerification">&#9668;</a>

-    <h3><a id="ChecksumVerification">Step 3: Verify the file integrity by sha256 checksum</a></h3>

+    <h3><a id="ChecksumVerification">Step 3: Verify the file integrity

+    with a sha256 checksums</a></h3>

     <hr>

     <p>

     Build reproducibility is a

@@ -421,8 +428,8 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

    </label>

   <article>

     <p>

-    Note: This process does not work on OS X yet due to Apple's codesigning requirement.

-    See <a href="#MARVerification">MAR verification</a> below.

+    Note: This process does not work on macOS yet due to Apple's codesigning

+    requirement. See <a href="#MARVerification">MAR verification</a> below.

     </p>

      <ul>

       <li>

@@ -431,11 +438,13 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

       <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.

       They can all be found in the same directory under

       <a href="https://www.torproject.org/dist/torbrowser/">

-      https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux64>'

+      https://www.torproject.org/dist/torbrowser/</a>, for example in

+      '<version-torbrowserbundlelinux64>'

       for Tor Browser <version-torbrowserbundlelinux64>.

       </li>

       <li>

-      Retrieve the signers' GPG key with following ID with the method <a href="#ImportKey">described above</a>:<br/>

+      Retrieve the signers' GPG key with following ID with the method

+      <a href="#ImportKey">described above</a>:<br/>

       (Other developers' key IDs can be found

       <a href="<page docs/signing-keys>">here)</a>

       </li>

@@ -507,7 +516,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

 <!-- Mac OS --><!--

  <div>

    <article class="ac-os">

-     This process does not work on OS X yet due to Apple's codesigning requirement.

+     This process does not work on macOS yet due to Apple's codesigning requirement.

    </article>

  </div>

 -->

@@ -563,8 +572,8 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     </article>

    </div>

    <a class="nav" href="#TOC" title="go up">&uarr;</a>

-  </article>

- </div>

+  </article><!-- END ac-box -->

+ </div><!-- END step 3 -->

 <!-- MAR verification -->

  <div>