Roger Dingledine commited on 2011-09-09 18:54:21
Zeige 1 geänderte Dateien mit 89 Einfügungen und 182 Löschungen.
it's still awful, in that it doesn't explain why you would want to verify a signature, or how you actually decide whether to trust a key.
... | ... |
@@ -12,205 +12,121 @@ |
12 | 12 |
<h1>How to verify signatures for packages</h1> |
13 | 13 |
<hr> |
14 | 14 |
|
15 |
- <p>Each file on <a href="<page download/download>">our download page</a> is accompanied |
|
16 |
- by a file with the same name as the package and the extension |
|
17 |
- ".asc". These .asc files are GPG signatures. They allow you to verify |
|
18 |
- the file you've downloaded is exactly the one that we intended you to |
|
19 |
- get. For example, tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by |
|
15 |
+ <p>Each file on <a href="<page download/download>">our download |
|
16 |
+ page</a> is accompanied by a file with the same name as the |
|
17 |
+ package and the extension ".asc". These .asc files are GPG |
|
18 |
+ signatures. They allow you to verify the file you've downloaded |
|
19 |
+ is exactly the one that we intended you to get. For example, |
|
20 |
+ tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by |
|
20 | 21 |
tor-browser-<version-torbrowserbundle>_en-US.exe.asc.</p> |
21 | 22 |
|
22 |
- <p>Of course, you'll need to have our GPG keys in your keyring: if you don't |
|
23 |
- know the GPG key, you can't be sure that it was really us who signed it. The |
|
24 |
- signing keys we use are:</p> |
|
25 |
- <ul> |
|
26 |
- <li>Roger's (0x28988BF5) typically signs the source code file.</li> |
|
27 |
- <li>Nick's (0x165733EA, or its subkey 0x8D29319A).</li> |
|
28 |
- <li>Andrew's (0x31B0974B) typically signed older packages for windows and mac.</li> |
|
29 |
- <li>Peter's (0xC82E0039, or its subkey 0xE1DEC577).</li> |
|
30 |
- <li>Tomás's (0x9A753A6B) signs current Vidalia release tarballs and tags.</li> |
|
31 |
- <li>Matt's (0x5FA14861) signed older Vidalia release tarballs.</li> |
|
32 |
- <li>Damian's (0x9ABBEEC6) signs Arm releases</li> |
|
33 |
- <li>Jacob's (0xE012B42D).</li> |
|
34 |
- <li>Erinn's (0x63FEE659) and (0xF1F5C9B5) typically signs all windows, mac, and most linux packages.</li> |
|
35 |
- <li>Mike's (0xDDC6C0AD) signs the Torbutton xpi.</li> |
|
36 |
- <li>Karsten's (0xF7C11265) signs the metrics archives and tools.</li> |
|
37 |
- <li>Robert Hogan's (0x22F6856F) signs torsocks release tarballs and tags.</li> |
|
38 |
- <li>Nathan's (0xB374CBD2) signs the Android APK file for Orbot.</li>. |
|
39 |
- <li>Tor Project Archive (0x886DDD89) signs the deb.torproject.org repositories and archives</li> |
|
40 |
- </ul> |
|
41 |
- |
|
42 |
- <h3>Step Zero: Install GnuPG</h3> |
|
23 |
+ <h3>Windows</h3> |
|
43 | 24 |
<hr> |
44 |
- <p>You need to have GnuPG installed before you can verify |
|
45 |
- signatures.</p> |
|
46 | 25 |
|
47 |
- <ul> |
|
48 |
- <li>Linux: see <a |
|
26 |
+ <p>You need to have GnuPG installed |
|
27 |
+ before you can verify signatures. Go to <a |
|
49 | 28 |
href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a> |
50 |
- or install <i>gnupg</i> from the package management system.</li> |
|
51 |
- <li>Windows: see <a |
|
52 |
- href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>. Look |
|
53 |
- for the "version compiled for MS-Windows" under "Binaries".</li> |
|
54 |
- <li>Mac: see <a |
|
55 |
- href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.</li> |
|
56 |
- </ul> |
|
57 |
- |
|
58 |
- <h3>Step One: Import the keys</h3> |
|
59 |
- <hr> |
|
60 |
- <p>The next step is to import the key. This can be done directly from |
|
61 |
- GnuPG. Make sure you import the correct key. For example, if you |
|
62 |
- downloaded a Windows package, you will need to import Erinn's key.</p> |
|
29 |
+ and look for the "version compiled for MS-Windows" under "Binaries".</p> |
|
30 |
+ |
|
31 |
+ <p>Once it's installed, use GnuPG to import the key that signed your |
|
32 |
+ package. Since GnuPG for Windows is a command-line tool, you will need |
|
33 |
+ to use <i>cmd.exe</i>. Unless you edit your PATH environment variable, |
|
34 |
+ you will need to tell Windows the full path to the GnuPG program. If |
|
35 |
+ you installed GnuPG with the default values, the path should be |
|
36 |
+ something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p> |
|
37 |
+ |
|
38 |
+ <p>Erinn Clark signs the Tor Browser Bundles. Import her key |
|
39 |
+ (0x63FEE659) by starting <i>cmd.exe</i> and typing:</p> |
|
40 |
+ |
|
41 |
+ <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre> |
|
42 |
+ |
|
43 |
+ <p>After importing the key, you can verify that the fingerprint |
|
44 |
+ is correct:</p> |
|
63 | 45 |
|
64 |
- <p><b>Windows:</b></p> |
|
65 |
- <p>GnuPG for Windows is a command line tool, and you will need to use |
|
66 |
- <i>cmd.exe</i>. Unless you edit your PATH environment variable, you will |
|
67 |
- need to tell Windows the full path to the GnuPG program. If you installed GnuPG |
|
68 |
- with the default values, the path should be something like this: <i>C:\Program |
|
69 |
- Files\Gnu\GnuPg\gpg.exe</i>.</p> |
|
46 |
+ <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint 0x63FEE659</pre> |
|
70 | 47 |
|
71 |
- <p>To import the key 0x28988BF5, start <i>cmd.exe</i> and type:</p> |
|
48 |
+ <p>You should see:</p> |
|
49 |
+ <pre> |
|
50 |
+ pub 2048R/63FEE659 2003-10-16 |
|
51 |
+ Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659 |
|
52 |
+ uid Erinn Clark <erinn@torproject.org> |
|
53 |
+ uid Erinn Clark <erinn@debian.org> |
|
54 |
+ uid Erinn Clark <erinn@double-helix.org> |
|
55 |
+ sub 2048R/EB399FD7 2003-10-16 |
|
56 |
+</pre> |
|
72 | 57 |
|
73 |
- <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre> |
|
58 |
+ <p>To verify the signature of the package you downloaded, you will need |
|
59 |
+ to download the ".asc" file as well. Assuming you downloaded the |
|
60 |
+ package and its signature to your Desktop, run:</p> |
|
74 | 61 |
|
75 |
- <p><b>Mac and Linux</b></p> |
|
76 |
- <p>Whether you have a Mac or you run Linux, you will need to use the terminal |
|
77 |
- to run GnuPG. Mac users can find the terminal under "Applications". If you run |
|
78 |
- Linux and use Gnome, the terminal should be under "Applications menu" and |
|
79 |
- "Accessories". KDE users can find the terminal under "Menu" and "System".</p> |
|
62 |
+ <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre> |
|
80 | 63 |
|
81 |
- <p>To import the key 0x28988BF5, start the terminal and type:</p> |
|
64 |
+ <p>The output should say "Good signature": </p> |
|
82 | 65 |
|
83 |
- <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre> |
|
66 |
+ <pre> |
|
67 |
+ gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659 |
|
68 |
+ gpg: Good signature from "Erinn Clark <erinn@torproject.org>" |
|
69 |
+ gpg: aka "Erinn Clark <erinn@debian.org>" |
|
70 |
+ gpg: aka "Erinn Clark <erinn@double-helix.org>" |
|
71 |
+ gpg: WARNING: This key is not certified with a trusted signature! |
|
72 |
+ gpg: There is no indication that the signature belongs to the owner. |
|
73 |
+ Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659 |
|
74 |
+ </pre> |
|
84 | 75 |
|
85 |
- <h3>Step Two: Verify the fingerprints</h3> |
|
76 |
+ <p> |
|
77 |
+ Notice that there is a warning because you haven't assigned a trust |
|
78 |
+ index to this person. This means that GnuPG verified that the key made |
|
79 |
+ that signature, but it's up to you to decide if that key really belongs |
|
80 |
+ to the developer. The best method is to meet the developer in person and |
|
81 |
+ exchange key fingerprints. |
|
82 |
+ </p> |
|
83 |
+ |
|
84 |
+ <h3>Mac OS X</h3> |
|
86 | 85 |
<hr> |
87 |
- <p>After importing the key, you will want to verify that the fingerprint is correct.</p> |
|
88 | 86 |
|
89 |
- <p><b>Windows:</b></p> |
|
90 |
- <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint (insert keyid here)</pre> |
|
87 |
+ <p>You need to have GnuPG installed before you can verify |
|
88 |
+ signatures. You can install it from <a |
|
89 |
+ href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>. |
|
90 |
+ </p> |
|
91 |
+ |
|
92 |
+ <p>Once it's installed, use GnuPG to import the key that signed |
|
93 |
+ your package. Erinn Clark signs the Tor Browser Bundles. Import her |
|
94 |
+ key (0x63FEE659) by starting the terminal (under "Applications") |
|
95 |
+ and typing:</p> |
|
91 | 96 |
|
92 |
- <p><b>Mac and Linux</b></p> |
|
93 |
- <pre>gpg --fingerprint (insert keyid here)</pre> |
|
97 |
+ <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre> |
|
94 | 98 |
|
95 |
- The fingerprints for the keys should be: |
|
99 |
+ <p>After importing the key, you can verify that the fingerprint |
|
100 |
+ is correct:</p> |
|
96 | 101 |
|
97 |
- <pre> |
|
98 |
- pub 1024D/28988BF5 2000-02-27 |
|
99 |
- Key fingerprint = B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5 |
|
100 |
- uid Roger Dingledine <arma@mit.edu> |
|
101 |
- |
|
102 |
- pub 3072R/165733EA 2004-07-03 |
|
103 |
- Key fingerprint = B35B F85B F194 89D0 4E28 C33C 2119 4EBB 1657 33EA |
|
104 |
- uid Nick Mathewson <nickm@alum.mit.edu> |
|
105 |
- uid Nick Mathewson <nickm@wangafu.net> |
|
106 |
- uid Nick Mathewson <nickm@freehaven.net> |
|
107 |
- |
|
108 |
- pub 1024D/31B0974B 2003-07-17 |
|
109 |
- Key fingerprint = 0295 9AA7 190A B9E9 027E 0736 3B9D 093F 31B0 974B |
|
110 |
- uid Andrew Lewman (phobos) <phobos@rootme.org> |
|
111 |
- uid Andrew Lewman <andrew@lewman.com> |
|
112 |
- uid Andrew Lewman <andrew@torproject.org> |
|
113 |
- sub 4096g/B77F95F7 2003-07-17 |
|
114 |
- |
|
115 |
- pub 4096R/C82E0039 2003-03-24 |
|
116 |
- Key fingerprint = 25FC 1614 B8F8 7B52 FF2F 99B9 62AF 4031 C82E 0039 |
|
117 |
- uid Peter Palfrader |
|
118 |
- uid Peter Palfrader <peter@palfrader.org> |
|
119 |
- uid Peter Palfrader <weasel@debian.org> |
|
120 |
- |
|
121 |
- pub 1024D/9A753A6B 2009-09-11 |
|
122 |
- Key fingerprint = 553D 7C2C 626E F16F 27F3 30BC 95E3 881D 9A75 3A6B |
|
123 |
- uid Tomás Touceda <chiiph@gmail.com> |
|
124 |
- sub 1024g/33BE0E5B 2009-09-11 |
|
125 |
- |
|
126 |
- pub 1024D/5FA14861 2005-08-17 |
|
127 |
- Key fingerprint = 9467 294A 9985 3C9C 65CB 141D AF7E 0E43 5FA1 4861 |
|
128 |
- uid Matt Edman <edmanm@rpi.edu> |
|
129 |
- uid Matt Edman <Matt_Edman@baylor.edu> |
|
130 |
- uid Matt Edman <edmanm2@cs.rpi.edu> |
|
131 |
- sub 4096g/EA654E59 2005-08-17 |
|
132 |
- |
|
133 |
- pub 1024D/9ABBEEC6 2009-06-17 |
|
134 |
- Key fingerprint = 6827 8CC5 DD2D 1E85 C4E4 5AD9 0445 B7AB 9ABB EEC6 |
|
135 |
- uid Damian Johnson (www.atagar.com) <atagar1@gmail.com> |
|
136 |
- uid Damian Johnson <atagar@torproject.org> |
|
137 |
- sub 2048g/146276B2 2009-06-17 |
|
138 |
- sub 2048R/87F30690 2010-08-07 |
|
139 |
- |
|
140 |
- pub 4096R/E012B42D 2010-05-07 |
|
141 |
- Key fingerprint = D8C9 AF51 CAA9 CAEA D3D8 9C9E A34F A745 E012 B42D |
|
142 |
- uid Jacob Appelbaum <jacob@appelbaum.net> |
|
143 |
- uid Jacob Appelbaum <jacob@torproject.org> |
|
144 |
- sub 4096R/7CA91A52 2010-05-07 [expires: 2011-05-07] |
|
102 |
+ <pre>gpg --fingerprint 0x63FEE659</pre> |
|
145 | 103 |
|
104 |
+ <p>You should see:</p> |
|
105 |
+ <pre> |
|
146 | 106 |
pub 2048R/63FEE659 2003-10-16 |
147 | 107 |
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659 |
148 | 108 |
uid Erinn Clark <erinn@torproject.org> |
149 | 109 |
uid Erinn Clark <erinn@debian.org> |
150 | 110 |
uid Erinn Clark <erinn@double-helix.org> |
151 | 111 |
sub 2048R/EB399FD7 2003-10-16 |
152 |
- |
|
153 |
- pub 1024D/F1F5C9B5 2010-02-03 |
|
154 |
- Key fingerprint = C2E3 4CFC 13C6 2BD9 2C75 79B5 6B8A AEB1 F1F5 C9B5 |
|
155 |
- uid Erinn Clark <erinn@torproject.org> |
|
156 |
- sub 1024g/7828F26A 2010-02-03 |
|
157 |
- |
|
158 |
- pub 1024D/DDC6C0AD 2006-07-26 |
|
159 |
- Key fingerprint = BECD 90ED D1EE 8736 7980 ECF8 1B0C A30C DDC6 C0AD |
|
160 |
- uid Mike Perry <mikeperry@fscked.org> |
|
161 |
- uid Mike Perry <mikepery@fscked.org> |
|
162 |
- sub 4096g/AF0A91D7 2006-07-26 |
|
163 |
- |
|
164 |
- pub 1024D/F7C11265 2007-03-09 [expires: 2012-03-01] |
|
165 |
- Key fingerprint = FC8A EEF1 792E EE71 D721 7D47 D0CF 963D F7C1 1265 |
|
166 |
- uid Karsten Loesing <karsten.loesing@gmx.net> |
|
167 |
- sub 2048g/75D85E4B 2007-03-09 [expires: 2012-03-01] |
|
168 |
- |
|
169 |
- pub 1024D/22F6856F 2006-08-19 |
|
170 |
- Key fingerprint = DDB4 6B5B 7950 CD47 E59B 5189 4C09 25CF 22F6 856F |
|
171 |
- uid Robert Hogan <robert@roberthogan.net> |
|
172 |
- sub 1024g/FC4A9460 2006-08-19 |
|
173 |
- |
|
174 |
- pub 3072D/B374CBD2 2010-06-09 [expires: 2011-06-09] |
|
175 |
- Key fingerprint = B92B CA64 72F7 C6F0 8D47 8503 D2AC D203 B374 CBD2 |
|
176 |
- uid Nathan of Guardian <nathan@guardianproject.info> |
|
177 |
- sub 4096g/B5878C3B 2010-06-09 [expires: 2011-06-09] |
|
178 |
- |
|
179 |
- pub 2048R/886DDD89 2009-09-04 [expires: 2014-09-03] |
|
180 |
- Key fingerprint = A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89 |
|
181 |
- uid deb.torproject.org archive signing key |
|
182 |
- sub 2048R/219EC810 2009-09-04 [expires: 2012-09-03] |
|
183 | 112 |
</pre> |
184 | 113 |
|
185 |
- <h3>Step Three: Verify the downloaded package</h3> |
|
186 |
- <hr> |
|
187 | 114 |
<p>To verify the signature of the package you downloaded, you will need |
188 |
- to download the ".asc" file as well.</p> |
|
115 |
+ to download the ".asc" file as well. Assuming you downloaded the |
|
116 |
+ package and its signature to your Desktop, run:</p> |
|
189 | 117 |
|
190 |
- <p>In the following examples, the user Alice downloads packages for |
|
191 |
- Windows, Mac OS X and Linux and also verifies the signature of each |
|
192 |
- package. All files are saved on the desktop.</p> |
|
193 |
- |
|
194 |
- <p><b>Windows:</b></p> |
|
195 |
- <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre> |
|
196 |
- |
|
197 |
- <p><b>Mac:</b></p> |
|
198 | 118 |
<pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>.asc /Users/Alice/<file-osx-x86-bundle-stable></pre> |
199 | 119 |
|
200 |
- <p><b>Linux</b></p> |
|
201 |
- <pre>gpg --verify /home/Alice/Desktop/<file-source-stable>.asc /home/Alice/Desktop/<file-source-stable></pre> |
|
202 |
- |
|
203 |
- |
|
204 |
- <p>After verifying, GnuPG will come back saying something like "Good |
|
205 |
- signature" or "BAD signature". The output should look something like |
|
206 |
- this:</p> |
|
120 |
+ <p>The output should say "Good signature": </p> |
|
207 | 121 |
|
208 | 122 |
<pre> |
209 |
- gpg: Signature made Tue 16 Mar 2010 05:55:17 AM CET using DSA key ID 28988BF5 |
|
210 |
- gpg: Good signature from "Roger Dingledine <arma@mit.edu>" |
|
123 |
+ gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659 |
|
124 |
+ gpg: Good signature from "Erinn Clark <erinn@torproject.org>" |
|
125 |
+ gpg: aka "Erinn Clark <erinn@debian.org>" |
|
126 |
+ gpg: aka "Erinn Clark <erinn@double-helix.org>" |
|
211 | 127 |
gpg: WARNING: This key is not certified with a trusted signature! |
212 | 128 |
gpg: There is no indication that the signature belongs to the owner. |
213 |
- Primary key fingerprint: B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5 |
|
129 |
+ Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659 |
|
214 | 130 |
</pre> |
215 | 131 |
|
216 | 132 |
<p> |
... | ... |
@@ -221,25 +137,16 @@ |
221 | 137 |
exchange key fingerprints. |
222 | 138 |
</p> |
223 | 139 |
|
224 |
- <p>For your reference, this is an example of a <em>BAD</em> verification. It |
|
225 |
- means that the signature and file contents do not match. In this case, |
|
226 |
- you should not trust the file contents:</p> |
|
227 |
- |
|
228 |
- <pre> |
|
229 |
- gpg: Signature made Tue 20 Apr 2010 12:22:32 PM CEST using DSA key ID 28988BF5 |
|
230 |
- gpg: BAD signature from "Roger Dingledine <arma@mit.edu>" |
|
231 |
- </pre> |
|
232 |
- |
|
233 |
- <p><b>RPM-based distributions :</b></p> |
|
234 |
- <p>In order to manually verify the signatures on the RPM packages, you must use the |
|
235 |
- <code>rpm</code> tool like so: <br /> |
|
140 |
+ <h3>Linux</h3> |
|
141 |
+ <hr> |
|
236 | 142 |
|
237 |
- <pre>rpm -K filename.rpm</pre></p> |
|
238 |
- <p></p> |
|
143 |
+ <p>For <b>RPM-based distributions</b> you can manually verify the |
|
144 |
+ signatures on the RPM packages by:</p> |
|
145 |
+ <pre>rpm -K filename.rpm</pre> |
|
239 | 146 |
|
240 |
- <p><b>Debian:</b></p> |
|
241 |
- <p>If you are running Tor on Debian you should read the instructions on |
|
242 |
- <a href="<page docs/debian>#packages">importing these keys to apt</a>.</p> |
|
147 |
+ <p>For <b>Debian</b>, you should read the instructions on <a |
|
148 |
+ href="<page docs/debian>#packages">importing these keys to |
|
149 |
+ apt</a>.</p> |
|
243 | 150 |
|
244 | 151 |
<p>If you wish to learn more about GPG, see <a |
245 | 152 |
href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>.</p> |
246 | 153 |