Browse code

verification: improve consistency, some fixes

traumschule authored on 29/08/2018 04:45:12
Showing 1 changed files
... ...
@@ -199,8 +199,8 @@
199 199
 
200 200
     <p>The next step is to use GnuPG to import the key that signed
201 201
     your package. The Tor Browser team signs Tor Browser releases. Import its
202
-    key (0x4E2C6E8793298290) by starting the terminal under "Applications"
203
-    and typing:</p>
202
+    key (0x4E2C6E8793298290) by starting the terminal under
203
+    "Applications/Utilities" and typing:</p>
204 204
     <pre>
205 205
     $ gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
206 206
     </pre>
... ...
@@ -214,7 +214,7 @@
214 214
     <h3>Import OpenPGP key on Linux</h3>
215 215
     <p>
216 216
     You need to have GnuPG installed before you can verify
217
-    signatures. It's probably GnuPG is alreadyy installed on your
217
+    signatures. It is probably already installed on your
218 218
     system, as most Linux distributions come with it preinstalled.
219 219
     </p>
220 220
 
... ...
@@ -228,6 +228,7 @@
228 228
     <p>
229 229
    </article>
230 230
   </div>
231
+<!-- all OS -->
231 232
   <div>
232 233
     <p>
233 234
     After importing the key, you can verify that the fingerprint
... ...
@@ -248,8 +249,8 @@ sub   rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
248 249
     </pre>
249 250
     <a class="nav" href="#TOC" title="go up">&uarr;</a>
250 251
   </div>
251
- </article><!-- END Import -->
252
-</div>
252
+ </article><!-- END ac-box -->
253
+</div><!-- END step 1 -->
253 254
 
254 255
 <!-- Verifiy with OpenPGP signature -->
255 256
 <div>
... ...
@@ -315,6 +316,11 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
315 316
     package and its signature to your Downloads folder, run:
316 317
     </p>
317 318
 
319
+    <p>
320
+    The easiest way to verify an "asc" file is to open it by double-clicking
321
+    on it, or using the keying command-O. Alternatively type into the terminal:
322
+    </p>
323
+
318 324
     <pre>
319 325
     $ gpg --verify ~/Downloads/TorBrowser-<version-torbrowserbundleosx64>_en-US.dmg{.asc*,}
320 326
     </pre>
... ...
@@ -322,7 +328,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
322 328
     <p>The output should say "Good signature":</p>
323 329
 
324 330
     <pre>
325
-gpg: assuming signed data in 'tor-browser-osx64-<version-torbrowserbundleosx64>_en-US.tar.xz'
331
+gpg: assuming signed data in 'TorBrowser-<version-torbrowserbundleosx64>_en-US.dmg'
326 332
 gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
327 333
 gpg:                using RSA key 0xD1483FA6C3C07136
328 334
 gpg: Good signature from "Tor Browser Developers (signing key) &lt;torbrowser@torproject.org&gt;" [unknown]
... ...
@@ -338,6 +344,15 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
338 344
    <input id="ac-3-3" name="accordion-3" type="radio" />
339 345
    <article class="ac-os">
340 346
     <h3>Verify with OpenPGP signature on Linux</h3>
347
+
348
+    <p>For Tor (not Tor Browser) packages:
349
+    On <b>Debian</b> you should read the instructions on
350
+    <a href="<page docs/debian>#packages">importing these keys to apt</a>
351
+    to use our package repository instead.
352
+    If you're using the <b>RPMs</b>, you can manually verify the signatures by
353
+    <pre>rpm -K filename.rpm</pre>
354
+    </p>
355
+
341 356
     <p>
342 357
     To verify the signature of the package you downloaded, you will need
343 358
     to download the ".asc" file as well. Assuming you downloaded the
... ...
@@ -363,15 +378,6 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
363 378
      Subkey fingerprint: A430 0A6B C93C 0877 A445  1486 D148 3FA6 C3C0 7136
364 379
     </pre>
365 380
 
366
-    <p>
367
-    On <b>Debian</b> for Tor (not Tor Browser) packages, you should read the
368
-    instructions on
369
-    <a href="<page docs/debian>#packages">importing these keys to apt</a>.
370
-    If you're using the <b>RPMs</b> (for Tor, not Tor Browser), you can
371
-    manually verify the signatures on the RPM packages by
372
-    <pre>rpm -K filename.rpm</pre>
373
-    </p>
374
-
375 381
   </article>
376 382
  </div>
377 383
 <!-- END OS specific sections -->
... ...
@@ -387,8 +393,8 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
387 393
     Notice that there is a warning because you haven't assigned a trust
388 394
     index to this person. This means that GnuPG verified that the key made
389 395
     that signature, but it's up to you to decide if that key really belongs
390
-    to the developer. The best method is to meet the developer in person and
391
-    exchange key fingerprints.
396
+    to the developer. As international travel to meet the developer might be
397
+    unfeasable you are left with trusting other people who signed this key.
392 398
     </p>
393 399
 
394 400
     <p>To learn more about GnuPG see
... ...
@@ -396,15 +402,16 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
396 402
     </p>
397 403
 
398 404
     <a class="nav" href="#TOC" title="go up">&uarr;</a>
399
-  </article>
400
- </div>
405
+  </article><!-- END ac-box -->
406
+ </div><!-- END step 2 -->
401 407
 
402 408
 <!-- Verify checksums -->
403 409
  <div>
404 410
   <input id="ac-4" name="accordion-4" type="checkbox" />
405 411
    <label for="ac-4">
406 412
     <a class="nav" title="link here" href="#ChecksumVerification">&#9668;</a>
407
-    <h3><a id="ChecksumVerification">Step 3: Verify the file integrity by sha256 checksum</a></h3>
413
+    <h3><a id="ChecksumVerification">Step 3: Verify the file integrity
414
+    with a sha256 checksums</a></h3>
408 415
     <hr>
409 416
     <p>
410 417
     Build reproducibility is a
... ...
@@ -421,8 +428,8 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
421 428
    </label>
422 429
   <article>
423 430
     <p>
424
-    Note: This process does not work on OS X yet due to Apple's codesigning requirement.
425
-    See <a href="#MARVerification">MAR verification</a> below.
431
+    Note: This process does not work on macOS yet due to Apple's codesigning
432
+    requirement. See <a href="#MARVerification">MAR verification</a> below.
426 433
     </p>
427 434
      <ul>
428 435
       <li>
... ...
@@ -431,11 +438,13 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
431 438
       <tt>sha256sums-unsigned-build.txt.asc</tt> signature file.
432 439
       They can all be found in the same directory under
433 440
       <a href="https://www.torproject.org/dist/torbrowser/">
434
-      https://www.torproject.org/dist/torbrowser/</a>, for example in '<version-torbrowserbundlelinux64>'
441
+      https://www.torproject.org/dist/torbrowser/</a>, for example in
442
+      '<version-torbrowserbundlelinux64>'
435 443
       for Tor Browser <version-torbrowserbundlelinux64>.
436 444
       </li>
437 445
       <li>
438
-      Retrieve the signers' GPG key with following ID with the method <a href="#ImportKey">described above</a>:<br/>
446
+      Retrieve the signers' GPG key with following ID with the method
447
+      <a href="#ImportKey">described above</a>:<br/>
439 448
       (Other developers' key IDs can be found
440 449
       <a href="<page docs/signing-keys>">here)</a>
441 450
       </li>
... ...
@@ -507,7 +516,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
507 516
 <!-- Mac OS --><!--
508 517
  <div>
509 518
    <article class="ac-os">
510
-     This process does not work on OS X yet due to Apple's codesigning requirement.
519
+     This process does not work on macOS yet due to Apple's codesigning requirement.
511 520
    </article>
512 521
  </div>
513 522
 -->
... ...
@@ -563,8 +572,8 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
563 572
     </article>
564 573
    </div>
565 574
    <a class="nav" href="#TOC" title="go up">&uarr;</a>
566
-  </article>
567
- </div>
575
+  </article><!-- END ac-box -->
576
+ </div><!-- END step 3 -->
568 577
 
569 578
 <!-- MAR verification -->
570 579
  <div>