tor-webwml.git

@@ -12,205 +12,121 @@

     <h1>How to verify signatures for packages</h1>

     <hr>

-    <p>Each file on <a href="<page download/download>">our download page</a> is accompanied

-    by a file with the same name as the package and the extension

-    ".asc". These .asc files are GPG signatures. They allow you to verify

-    the file you've downloaded is exactly the one that we intended you to

-    get. For example, tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by

+    <p>Each file on <a href="<page download/download>">our download

+    page</a> is accompanied by a file with the same name as the

+    package and the extension ".asc". These .asc files are GPG

+    signatures. They allow you to verify the file you've downloaded

+    is exactly the one that we intended you to get. For example,

+    tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by

     tor-browser-<version-torbrowserbundle>_en-US.exe.asc.</p>

-    <p>Of course, you'll need to have our GPG keys in your keyring: if you don't

-    know the GPG key, you can't be sure that it was really us who signed it. The

-    signing keys we use are:</p>

-    <ul>

-    <li>Roger's (0x28988BF5) typically signs the source code file.</li>

-    <li>Nick's (0x165733EA, or its subkey 0x8D29319A).</li>

-    <li>Andrew's (0x31B0974B) typically signed older packages for windows and mac.</li>

-    <li>Peter's (0xC82E0039, or its subkey 0xE1DEC577).</li>

-    <li>Tomás's (0x9A753A6B) signs current Vidalia release tarballs and tags.</li>

-    <li>Matt's (0x5FA14861) signed older Vidalia release tarballs.</li>

-    <li>Damian's (0x9ABBEEC6) signs Arm releases</li>

-    <li>Jacob's (0xE012B42D).</li>

-    <li>Erinn's (0x63FEE659) and (0xF1F5C9B5) typically signs all windows, mac, and most linux packages.</li>

-    <li>Mike's (0xDDC6C0AD) signs the Torbutton xpi.</li>

-    <li>Karsten's (0xF7C11265) signs the metrics archives and tools.</li>

-    <li>Robert Hogan's (0x22F6856F) signs torsocks release tarballs and tags.</li>

-    <li>Nathan's (0xB374CBD2) signs the Android APK file for Orbot.</li>.

-    <li>Tor Project Archive (0x886DDD89) signs the deb.torproject.org repositories and archives</li>

-    </ul>

-

-    <h3>Step Zero: Install GnuPG</h3>

+    <h3>Windows</h3>

     <hr>

-    <p>You need to have GnuPG installed before you can verify

-    signatures.</p>

-    <ul>

-    <li>Linux: see <a

+    <p>You need to have GnuPG installed

+    before you can verify signatures. Go to <a

     href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>

-    or install <i>gnupg</i> from the package management system.</li>

-    <li>Windows: see <a

-    href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>. Look

-    for the "version compiled for MS-Windows" under "Binaries".</li>

-    <li>Mac: see <a

-    href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.</li>

-    </ul>

-

-    <h3>Step One:  Import the keys</h3>

-    <hr>

-    <p>The next step is to import the key. This can be done directly from

-    GnuPG. Make sure you import the correct key. For example, if you

-    downloaded a Windows package, you will need to import Erinn's key.</p>

+    and look for the "version compiled for MS-Windows" under "Binaries".</p>

+

+    <p>Once it's installed, use GnuPG to import the key that signed your

+    package. Since GnuPG for Windows is a command-line tool, you will need

+    to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,

+    you will need to tell Windows the full path to the GnuPG program. If

+    you installed GnuPG with the default values, the path should be

+    something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>

+

+    <p>Erinn Clark signs the Tor Browser Bundles. Import her key

+    (0x63FEE659) by starting <i>cmd.exe</i> and typing:</p>

+

+    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>

+

+    <p>After importing the key, you can verify that the fingerprint

+    is correct:</p>

-    <p><b>Windows:</b></p>

-    <p>GnuPG for Windows is a command line tool, and you will need to use

-    <i>cmd.exe</i>. Unless you edit your PATH environment variable, you will

-    need to tell Windows the full path to the GnuPG program. If you installed GnuPG

-    with the default values, the path should be something like this: <i>C:\Program

-    Files\Gnu\GnuPg\gpg.exe</i>.</p>

+    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint 0x63FEE659</pre>

-    <p>To import the key 0x28988BF5, start <i>cmd.exe</i> and type:</p>

+    <p>You should see:</p>

+    <pre>

+    pub   2048R/63FEE659 2003-10-16

+          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

+    uid                  Erinn Clark <erinn@torproject.org>

+    uid                  Erinn Clark <erinn@debian.org>

+    uid                  Erinn Clark <erinn@double-helix.org>

+    sub   2048R/EB399FD7 2003-10-16

+</pre>

-    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre>

+    <p>To verify the signature of the package you downloaded, you will need

+    to download the ".asc" file as well. Assuming you downloaded the

+    package and its signature to your Desktop, run:</p>

-    <p><b>Mac and Linux</b></p>

-    <p>Whether you have a Mac or you run Linux, you will need to use the terminal

-    to run GnuPG. Mac users can find the terminal under "Applications". If you run

-    Linux and use Gnome, the terminal should be under "Applications menu" and

-    "Accessories". KDE users can find the terminal under "Menu" and "System".</p>

+    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre>

-    <p>To import the key 0x28988BF5, start the terminal and type:</p>

+    <p>The output should say "Good signature": </p>

-    <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre>

+    <pre>

+    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659

+    gpg: Good signature from "Erinn Clark <erinn@torproject.org>"

+    gpg:                 aka "Erinn Clark <erinn@debian.org>"

+    gpg:                 aka "Erinn Clark <erinn@double-helix.org>"

+    gpg: WARNING: This key is not certified with a trusted signature!

+    gpg:          There is no indication that the signature belongs to the owner.

+    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

+    </pre>

-    <h3>Step Two:  Verify the fingerprints</h3>

+    <p>

+    Notice that there is a warning because you haven't assigned a trust

+    index to this person. This means that GnuPG verified that the key made

+    that signature, but it's up to you to decide if that key really belongs

+    to the developer. The best method is to meet the developer in person and

+    exchange key fingerprints.

+    </p>

+

+    <h3>Mac OS X</h3>

     <hr>

-    <p>After importing the key, you will want to verify that the fingerprint is correct.</p>

-    <p><b>Windows:</b></p>

-    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint (insert keyid here)</pre>

+    <p>You need to have GnuPG installed before you can verify

+    signatures. You can install it from <a

+    href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.

+    </p>

+

+    <p>Once it's installed, use GnuPG to import the key that signed

+    your package. Erinn Clark signs the Tor Browser Bundles. Import her

+    key (0x63FEE659) by starting the terminal (under "Applications")

+    and typing:</p>

-    <p><b>Mac and Linux</b></p>

-    <pre>gpg --fingerprint (insert keyid here)</pre>

+    <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>

-    The fingerprints for the keys should be:

+    <p>After importing the key, you can verify that the fingerprint

+    is correct:</p>

-    <pre>

-    pub   1024D/28988BF5 2000-02-27

-          Key fingerprint = B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5

-    uid                  Roger Dingledine <arma@mit.edu>

-

-    pub   3072R/165733EA 2004-07-03

-          Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA

-    uid                  Nick Mathewson <nickm@alum.mit.edu>

-    uid                  Nick Mathewson <nickm@wangafu.net>

-    uid                  Nick Mathewson <nickm@freehaven.net>

-

-    pub  1024D/31B0974B 2003-07-17

-         Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974B

-    uid                  Andrew Lewman (phobos) <phobos@rootme.org>

-    uid                  Andrew Lewman <andrew@lewman.com>

-    uid                  Andrew Lewman <andrew@torproject.org>

-    sub   4096g/B77F95F7 2003-07-17

-

-    pub   4096R/C82E0039 2003-03-24

-          Key fingerprint = 25FC 1614 B8F8 7B52 FF2F  99B9 62AF 4031 C82E 0039

-    uid                  Peter Palfrader

-    uid                  Peter Palfrader <peter@palfrader.org>

-    uid                  Peter Palfrader <weasel@debian.org>

-

-    pub   1024D/9A753A6B 2009-09-11

-          Key fingerprint = 553D 7C2C 626E F16F 27F3  30BC 95E3 881D 9A75 3A6B

-    uid                  Tomás Touceda <chiiph@gmail.com>

-    sub   1024g/33BE0E5B 2009-09-11

-

-    pub   1024D/5FA14861 2005-08-17

-          Key fingerprint = 9467 294A 9985 3C9C 65CB  141D AF7E 0E43 5FA1 4861

-    uid                  Matt Edman <edmanm@rpi.edu>

-    uid                  Matt Edman <Matt_Edman@baylor.edu>

-    uid                  Matt Edman <edmanm2@cs.rpi.edu>

-    sub   4096g/EA654E59 2005-08-17

-

-    pub   1024D/9ABBEEC6 2009-06-17

-          Key fingerprint = 6827 8CC5 DD2D 1E85 C4E4  5AD9 0445 B7AB 9ABB EEC6

-    uid                  Damian Johnson (www.atagar.com) <atagar1@gmail.com>

-    uid                  Damian Johnson <atagar@torproject.org>

-    sub   2048g/146276B2 2009-06-17

-    sub   2048R/87F30690 2010-08-07

-

-    pub   4096R/E012B42D 2010-05-07

-          Key fingerprint = D8C9 AF51 CAA9 CAEA D3D8  9C9E A34F A745 E012 B42D

-    uid                  Jacob Appelbaum <jacob@appelbaum.net>

-    uid                  Jacob Appelbaum <jacob@torproject.org>

-    sub   4096R/7CA91A52 2010-05-07 [expires: 2011-05-07]

+    <pre>gpg --fingerprint 0x63FEE659</pre>

+    <p>You should see:</p>

+    <pre>

     pub   2048R/63FEE659 2003-10-16

           Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

     uid                  Erinn Clark <erinn@torproject.org>

     uid                  Erinn Clark <erinn@debian.org>

     uid                  Erinn Clark <erinn@double-helix.org>

     sub   2048R/EB399FD7 2003-10-16

-

-    pub   1024D/F1F5C9B5 2010-02-03

-          Key fingerprint = C2E3 4CFC 13C6 2BD9 2C75  79B5 6B8A AEB1 F1F5 C9B5

-    uid                  Erinn Clark <erinn@torproject.org>

-    sub   1024g/7828F26A 2010-02-03

-

-    pub   1024D/DDC6C0AD 2006-07-26

-          Key fingerprint = BECD 90ED D1EE 8736 7980  ECF8 1B0C A30C DDC6 C0AD

-    uid                  Mike Perry <mikeperry@fscked.org>

-    uid                  Mike Perry <mikepery@fscked.org>

-    sub   4096g/AF0A91D7 2006-07-26

-

-    pub   1024D/F7C11265 2007-03-09 [expires: 2012-03-01]

-          Key fingerprint = FC8A EEF1 792E EE71 D721  7D47 D0CF 963D F7C1 1265

-    uid                  Karsten Loesing <karsten.loesing@gmx.net>

-    sub   2048g/75D85E4B 2007-03-09 [expires: 2012-03-01]

-

-    pub   1024D/22F6856F 2006-08-19

-          Key fingerprint = DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F

-    uid                  Robert Hogan <robert@roberthogan.net>

-    sub   1024g/FC4A9460 2006-08-19

-

-    pub   3072D/B374CBD2 2010-06-09 [expires: 2011-06-09]

-   	  Key fingerprint = B92B CA64 72F7 C6F0 8D47  8503 D2AC D203 B374 CBD2

-    uid                  Nathan of Guardian <nathan@guardianproject.info>

-    sub   4096g/B5878C3B 2010-06-09 [expires: 2011-06-09]

-

-    pub   2048R/886DDD89 2009-09-04 [expires: 2014-09-03]

-      Key fingerprint = A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D DD89

-    uid                  deb.torproject.org archive signing key

-    sub   2048R/219EC810 2009-09-04 [expires: 2012-09-03]

     </pre>

-    <h3>Step Three:  Verify the downloaded package</h3>

-    <hr>

     <p>To verify the signature of the package you downloaded, you will need

-    to download the ".asc" file as well.</p>

+    to download the ".asc" file as well. Assuming you downloaded the

+    package and its signature to your Desktop, run:</p>

-    <p>In the following examples, the user Alice downloads packages for

-    Windows, Mac OS X and Linux and also verifies the signature of each

-    package. All files are saved on the desktop.</p>

-

-    <p><b>Windows:</b></p>

-    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre>

-

-    <p><b>Mac:</b></p>

     <pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>.asc /Users/Alice/<file-osx-x86-bundle-stable></pre>

-    <p><b>Linux</b></p>

-    <pre>gpg --verify /home/Alice/Desktop/<file-source-stable>.asc /home/Alice/Desktop/<file-source-stable></pre>

-    

-

-    <p>After verifying, GnuPG will come back saying something like "Good

-    signature" or "BAD signature". The output should look something like

-    this:</p>

+    <p>The output should say "Good signature": </p>

     <pre>

-    gpg: Signature made Tue 16 Mar 2010 05:55:17 AM CET using DSA key ID 28988BF5

-    gpg: Good signature from "Roger Dingledine <arma@mit.edu>"

+    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659

+    gpg: Good signature from "Erinn Clark <erinn@torproject.org>"

+    gpg:                 aka "Erinn Clark <erinn@debian.org>"

+    gpg:                 aka "Erinn Clark <erinn@double-helix.org>"

     gpg: WARNING: This key is not certified with a trusted signature!

     gpg:          There is no indication that the signature belongs to the owner.

-    Primary key fingerprint: B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5

+    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

     </pre>

     <p>

@@ -221,25 +137,16 @@

     exchange key fingerprints.

     </p>

-    <p>For your reference, this is an example of a <em>BAD</em> verification. It

-    means that the signature and file contents do not match. In this case,

-    you should not trust the file contents:</p>

-

-    <pre>

-    gpg: Signature made Tue 20 Apr 2010 12:22:32 PM CEST using DSA key ID 28988BF5

-    gpg: BAD signature from "Roger Dingledine <arma@mit.edu>"

-    </pre>

-

-    <p><b>RPM-based distributions :</b></p>

-    <p>In order to manually verify the signatures on the RPM packages, you must use the

-    <code>rpm</code> tool like so: <br />

+    <h3>Linux</h3>

+    <hr>

-    <pre>rpm -K filename.rpm</pre></p>

-    <p></p>

+    <p>For <b>RPM-based distributions</b> you can manually verify the

+    signatures on the RPM packages by:</p>

+    <pre>rpm -K filename.rpm</pre>

-    <p><b>Debian:</b></p>

-    <p>If you are running Tor on Debian you should read the instructions on

-    <a href="<page docs/debian>#packages">importing these keys to apt</a>.</p>

+    <p>For <b>Debian</b>, you should read the instructions on <a

+    href="<page docs/debian>#packages">importing these keys to

+    apt</a>.</p>

     <p>If you wish to learn more about GPG, see <a

     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>.</p>