Browse code

the verifying signatures page is now less awful

it's still awful, in that it doesn't explain why you would want to verify
a signature, or how you actually decide whether to trust a key.

Roger Dingledine authored on 09/09/2011 18:54:21
Showing 1 changed files
... ...
@@ -12,205 +12,121 @@
12 12
     <h1>How to verify signatures for packages</h1>
13 13
     <hr>
14 14
 
15
-    <p>Each file on <a href="<page download/download>">our download page</a> is accompanied
16
-    by a file with the same name as the package and the extension
17
-    ".asc". These .asc files are GPG signatures. They allow you to verify
18
-    the file you've downloaded is exactly the one that we intended you to
19
-    get. For example, tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by
15
+    <p>Each file on <a href="<page download/download>">our download
16
+    page</a> is accompanied by a file with the same name as the
17
+    package and the extension ".asc". These .asc files are GPG
18
+    signatures. They allow you to verify the file you've downloaded
19
+    is exactly the one that we intended you to get. For example,
20
+    tor-browser-<version-torbrowserbundle>_en-US.exe is accompanied by
20 21
     tor-browser-<version-torbrowserbundle>_en-US.exe.asc.</p>
21 22
 
22
-    <p>Of course, you'll need to have our GPG keys in your keyring: if you don't
23
-    know the GPG key, you can't be sure that it was really us who signed it. The
24
-    signing keys we use are:</p>
25
-    <ul>
26
-    <li>Roger's (0x28988BF5) typically signs the source code file.</li>
27
-    <li>Nick's (0x165733EA, or its subkey 0x8D29319A).</li>
28
-    <li>Andrew's (0x31B0974B) typically signed older packages for windows and mac.</li>
29
-    <li>Peter's (0xC82E0039, or its subkey 0xE1DEC577).</li>
30
-    <li>Tomás's (0x9A753A6B) signs current Vidalia release tarballs and tags.</li>
31
-    <li>Matt's (0x5FA14861) signed older Vidalia release tarballs.</li>
32
-    <li>Damian's (0x9ABBEEC6) signs Arm releases</li>
33
-    <li>Jacob's (0xE012B42D).</li>
34
-    <li>Erinn's (0x63FEE659) and (0xF1F5C9B5) typically signs all windows, mac, and most linux packages.</li>
35
-    <li>Mike's (0xDDC6C0AD) signs the Torbutton xpi.</li>
36
-    <li>Karsten's (0xF7C11265) signs the metrics archives and tools.</li>
37
-    <li>Robert Hogan's (0x22F6856F) signs torsocks release tarballs and tags.</li>
38
-    <li>Nathan's (0xB374CBD2) signs the Android APK file for Orbot.</li>.
39
-    <li>Tor Project Archive (0x886DDD89) signs the deb.torproject.org repositories and archives</li>
40
-    </ul>
41
-
42
-    <h3>Step Zero: Install GnuPG</h3>
23
+    <h3>Windows</h3>
43 24
     <hr>
44
-    <p>You need to have GnuPG installed before you can verify
45
-    signatures.</p>
46 25
 
47
-    <ul>
48
-    <li>Linux: see <a
26
+    <p>You need to have GnuPG installed
27
+    before you can verify signatures. Go to <a
49 28
     href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>
50
-    or install <i>gnupg</i> from the package management system.</li>
51
-    <li>Windows: see <a
52
-    href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>. Look
53
-    for the "version compiled for MS-Windows" under "Binaries".</li>
54
-    <li>Mac: see <a
55
-    href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.</li>
56
-    </ul>
57
-
58
-    <h3>Step One:  Import the keys</h3>
59
-    <hr>
60
-    <p>The next step is to import the key. This can be done directly from
61
-    GnuPG. Make sure you import the correct key. For example, if you
62
-    downloaded a Windows package, you will need to import Erinn's key.</p>
29
+    and look for the "version compiled for MS-Windows" under "Binaries".</p>
30
+
31
+    <p>Once it's installed, use GnuPG to import the key that signed your
32
+    package. Since GnuPG for Windows is a command-line tool, you will need
33
+    to use <i>cmd.exe</i>. Unless you edit your PATH environment variable,
34
+    you will need to tell Windows the full path to the GnuPG program. If
35
+    you installed GnuPG with the default values, the path should be
36
+    something like this: <i>C:\Program Files\Gnu\GnuPg\gpg.exe</i>.</p>
63 37
 
64
-    <p><b>Windows:</b></p>
65
-    <p>GnuPG for Windows is a command line tool, and you will need to use
66
-    <i>cmd.exe</i>. Unless you edit your PATH environment variable, you will
67
-    need to tell Windows the full path to the GnuPG program. If you installed GnuPG
68
-    with the default values, the path should be something like this: <i>C:\Program
69
-    Files\Gnu\GnuPg\gpg.exe</i>.</p>
38
+    <p>Erinn Clark signs the Tor Browser Bundles. Import her key
39
+    (0x63FEE659) by starting <i>cmd.exe</i> and typing:</p>
70 40
 
71
-    <p>To import the key 0x28988BF5, start <i>cmd.exe</i> and type:</p>
41
+    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>
72 42
 
73
-    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre>
43
+    <p>After importing the key, you can verify that the fingerprint
44
+    is correct:</p>
74 45
 
75
-    <p><b>Mac and Linux</b></p>
76
-    <p>Whether you have a Mac or you run Linux, you will need to use the terminal
77
-    to run GnuPG. Mac users can find the terminal under "Applications". If you run
78
-    Linux and use Gnome, the terminal should be under "Applications menu" and
79
-    "Accessories". KDE users can find the terminal under "Menu" and "System".</p>
46
+    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint 0x63FEE659</pre>
47
+
48
+    <p>You should see:</p>
49
+    <pre>
50
+    pub   2048R/63FEE659 2003-10-16
51
+          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
52
+    uid                  Erinn Clark &lt;erinn@torproject.org&gt;
53
+    uid                  Erinn Clark &lt;erinn@debian.org&gt;
54
+    uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
55
+    sub   2048R/EB399FD7 2003-10-16
56
+</pre>
80 57
 
81
-    <p>To import the key 0x28988BF5, start the terminal and type:</p>
58
+    <p>To verify the signature of the package you downloaded, you will need
59
+    to download the ".asc" file as well. Assuming you downloaded the
60
+    package and its signature to your Desktop, run:</p>
82 61
 
83
-    <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x28988BF5</pre>
62
+    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre>
63
+
64
+    <p>The output should say "Good signature": </p>
65
+
66
+    <pre>
67
+    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
68
+    gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
69
+    gpg:                 aka "Erinn Clark &lt;erinn@debian.org&gt;"
70
+    gpg:                 aka "Erinn Clark &lt;erinn@double-helix.org&gt;"
71
+    gpg: WARNING: This key is not certified with a trusted signature!
72
+    gpg:          There is no indication that the signature belongs to the owner.
73
+    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
74
+    </pre>
75
+
76
+    <p>
77
+    Notice that there is a warning because you haven't assigned a trust
78
+    index to this person. This means that GnuPG verified that the key made
79
+    that signature, but it's up to you to decide if that key really belongs
80
+    to the developer. The best method is to meet the developer in person and
81
+    exchange key fingerprints.
82
+    </p>
84 83
 
85
-    <h3>Step Two:  Verify the fingerprints</h3>
84
+    <h3>Mac OS X</h3>
86 85
     <hr>
87
-    <p>After importing the key, you will want to verify that the fingerprint is correct.</p>
88 86
 
89
-    <p><b>Windows:</b></p>
90
-    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --fingerprint (insert keyid here)</pre>
87
+    <p>You need to have GnuPG installed before you can verify
88
+    signatures. You can install it from <a
89
+    href="http://macgpg.sourceforge.net/">http://macgpg.sourceforge.net/</a>.
90
+    </p>
91 91
 
92
-    <p><b>Mac and Linux</b></p>
93
-    <pre>gpg --fingerprint (insert keyid here)</pre>
92
+    <p>Once it's installed, use GnuPG to import the key that signed
93
+    your package. Erinn Clark signs the Tor Browser Bundles. Import her
94
+    key (0x63FEE659) by starting the terminal (under "Applications")
95
+    and typing:</p>
94 96
 
95
-    The fingerprints for the keys should be:
97
+    <pre>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63FEE659</pre>
96 98
 
97
-    <pre>
98
-    pub   1024D/28988BF5 2000-02-27
99
-          Key fingerprint = B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
100
-    uid                  Roger Dingledine &lt;arma@mit.edu&gt;
101
-
102
-    pub   3072R/165733EA 2004-07-03
103
-          Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA
104
-    uid                  Nick Mathewson &lt;nickm@alum.mit.edu&gt;
105
-    uid                  Nick Mathewson &lt;nickm@wangafu.net&gt;
106
-    uid                  Nick Mathewson &lt;nickm@freehaven.net&gt;
107
-
108
-    pub  1024D/31B0974B 2003-07-17
109
-         Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974B
110
-    uid                  Andrew Lewman (phobos) &lt;phobos@rootme.org&gt;
111
-    uid                  Andrew Lewman &lt;andrew@lewman.com&gt;
112
-    uid                  Andrew Lewman &lt;andrew@torproject.org&gt;
113
-    sub   4096g/B77F95F7 2003-07-17
114
-
115
-    pub   4096R/C82E0039 2003-03-24
116
-          Key fingerprint = 25FC 1614 B8F8 7B52 FF2F  99B9 62AF 4031 C82E 0039
117
-    uid                  Peter Palfrader
118
-    uid                  Peter Palfrader &lt;peter@palfrader.org&gt;
119
-    uid                  Peter Palfrader &lt;weasel@debian.org&gt;
120
-
121
-    pub   1024D/9A753A6B 2009-09-11
122
-          Key fingerprint = 553D 7C2C 626E F16F 27F3  30BC 95E3 881D 9A75 3A6B
123
-    uid                  Tomás Touceda &lt;chiiph@gmail.com&gt;
124
-    sub   1024g/33BE0E5B 2009-09-11
125
-
126
-    pub   1024D/5FA14861 2005-08-17
127
-          Key fingerprint = 9467 294A 9985 3C9C 65CB  141D AF7E 0E43 5FA1 4861
128
-    uid                  Matt Edman &lt;edmanm@rpi.edu&gt;
129
-    uid                  Matt Edman &lt;Matt_Edman@baylor.edu&gt;
130
-    uid                  Matt Edman &lt;edmanm2@cs.rpi.edu&gt;
131
-    sub   4096g/EA654E59 2005-08-17
132
-
133
-    pub   1024D/9ABBEEC6 2009-06-17
134
-          Key fingerprint = 6827 8CC5 DD2D 1E85 C4E4  5AD9 0445 B7AB 9ABB EEC6
135
-    uid                  Damian Johnson (www.atagar.com) &lt;atagar1@gmail.com&gt;
136
-    uid                  Damian Johnson &lt;atagar@torproject.org&gt;
137
-    sub   2048g/146276B2 2009-06-17
138
-    sub   2048R/87F30690 2010-08-07
139
-
140
-    pub   4096R/E012B42D 2010-05-07
141
-          Key fingerprint = D8C9 AF51 CAA9 CAEA D3D8  9C9E A34F A745 E012 B42D
142
-    uid                  Jacob Appelbaum &lt;jacob@appelbaum.net&gt;
143
-    uid                  Jacob Appelbaum &lt;jacob@torproject.org&gt;
144
-    sub   4096R/7CA91A52 2010-05-07 [expires: 2011-05-07]
99
+    <p>After importing the key, you can verify that the fingerprint
100
+    is correct:</p>
101
+
102
+    <pre>gpg --fingerprint 0x63FEE659</pre>
145 103
 
104
+    <p>You should see:</p>
105
+    <pre>
146 106
     pub   2048R/63FEE659 2003-10-16
147 107
           Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
148 108
     uid                  Erinn Clark &lt;erinn@torproject.org&gt;
149 109
     uid                  Erinn Clark &lt;erinn@debian.org&gt;
150 110
     uid                  Erinn Clark &lt;erinn@double-helix.org&gt;
151 111
     sub   2048R/EB399FD7 2003-10-16
152
-
153
-    pub   1024D/F1F5C9B5 2010-02-03
154
-          Key fingerprint = C2E3 4CFC 13C6 2BD9 2C75  79B5 6B8A AEB1 F1F5 C9B5
155
-    uid                  Erinn Clark &lt;erinn@torproject.org&gt;
156
-    sub   1024g/7828F26A 2010-02-03
157
-
158
-    pub   1024D/DDC6C0AD 2006-07-26
159
-          Key fingerprint = BECD 90ED D1EE 8736 7980  ECF8 1B0C A30C DDC6 C0AD
160
-    uid                  Mike Perry &lt;mikeperry@fscked.org&gt;
161
-    uid                  Mike Perry &lt;mikepery@fscked.org&gt;
162
-    sub   4096g/AF0A91D7 2006-07-26
163
-
164
-    pub   1024D/F7C11265 2007-03-09 [expires: 2012-03-01]
165
-          Key fingerprint = FC8A EEF1 792E EE71 D721  7D47 D0CF 963D F7C1 1265
166
-    uid                  Karsten Loesing &lt;karsten.loesing@gmx.net&gt;
167
-    sub   2048g/75D85E4B 2007-03-09 [expires: 2012-03-01]
168
-
169
-    pub   1024D/22F6856F 2006-08-19
170
-          Key fingerprint = DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
171
-    uid                  Robert Hogan &lt;robert@roberthogan.net&gt;
172
-    sub   1024g/FC4A9460 2006-08-19
173
-
174
-    pub   3072D/B374CBD2 2010-06-09 [expires: 2011-06-09]
175
-   	  Key fingerprint = B92B CA64 72F7 C6F0 8D47  8503 D2AC D203 B374 CBD2
176
-    uid                  Nathan of Guardian &lt;nathan@guardianproject.info&gt;
177
-    sub   4096g/B5878C3B 2010-06-09 [expires: 2011-06-09]
178
-
179
-    pub   2048R/886DDD89 2009-09-04 [expires: 2014-09-03]
180
-      Key fingerprint = A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D DD89
181
-    uid                  deb.torproject.org archive signing key
182
-    sub   2048R/219EC810 2009-09-04 [expires: 2012-09-03]
183 112
     </pre>
184 113
 
185
-    <h3>Step Three:  Verify the downloaded package</h3>
186
-    <hr>
187
-    <p> To verify the signature of the package you downloaded, you will need
188
-    to download the ".asc" file as well.</p>
189
-
190
-    <p>In the following examples, the user Alice downloads packages for
191
-    Windows, Mac OS X and Linux and also verifies the signature of each
192
-    package. All files are saved on the desktop.</p>
193
-
194
-    <p><b>Windows:</b></p>
195
-    <pre>C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Users\Alice\Desktop\<file-win32-bundle-stable>.asc C:\Users\Alice\Desktop\<file-win32-bundle-stable></pre>
114
+    <p>To verify the signature of the package you downloaded, you will need
115
+    to download the ".asc" file as well. Assuming you downloaded the
116
+    package and its signature to your Desktop, run:</p>
196 117
 
197
-    <p><b>Mac:</b></p>
198 118
     <pre>gpg --verify /Users/Alice/<file-osx-x86-bundle-stable>.asc /Users/Alice/<file-osx-x86-bundle-stable></pre>
199 119
 
200
-    <p><b>Linux</b></p>
201
-    <pre>gpg --verify /home/Alice/Desktop/<file-source-stable>.asc /home/Alice/Desktop/<file-source-stable></pre>
202
-    
203
-
204
-    <p>After verifying, GnuPG will come back saying something like "Good
205
-    signature" or "BAD signature". The output should look something like
206
-    this:</p>
120
+    <p>The output should say "Good signature": </p>
207 121
 
208 122
     <pre>
209
-    gpg: Signature made Tue 16 Mar 2010 05:55:17 AM CET using DSA key ID 28988BF5
210
-    gpg: Good signature from "Roger Dingledine &lt;arma@mit.edu&gt;"
123
+    gpg: Signature made Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659
124
+    gpg: Good signature from "Erinn Clark &lt;erinn@torproject.org&gt;"
125
+    gpg:                 aka "Erinn Clark &lt;erinn@debian.org&gt;"
126
+    gpg:                 aka "Erinn Clark &lt;erinn@double-helix.org&gt;"
211 127
     gpg: WARNING: This key is not certified with a trusted signature!
212 128
     gpg:          There is no indication that the signature belongs to the owner.
213
-    Primary key fingerprint: B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
129
+    Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
214 130
     </pre>
215 131
 
216 132
     <p>
... ...
@@ -221,28 +137,20 @@
221 137
     exchange key fingerprints.
222 138
     </p>
223 139
 
224
-    <p>For your reference, this is an example of a <em>BAD</em> verification. It
225
-    means that the signature and file contents do not match. In this case,
226
-    you should not trust the file contents:</p>
140
+    <h3>Linux</h3>
141
+    <hr>
227 142
 
228
-    <pre>
229
-    gpg: Signature made Tue 20 Apr 2010 12:22:32 PM CEST using DSA key ID 28988BF5
230
-    gpg: BAD signature from "Roger Dingledine &lt;arma@mit.edu&gt;"
231
-    </pre>
143
+    <p>For <b>RPM-based distributions</b> you can manually verify the
144
+    signatures on the RPM packages by:</p>
145
+    <pre>rpm -K filename.rpm</pre>
232 146
 
233
-    <p><b>RPM-based distributions :</b></p>
234
-    <p>In order to manually verify the signatures on the RPM packages, you must use the
235
-    <code>rpm</code> tool like so: <br />
236
-    
237
-    <pre>rpm -K filename.rpm</pre></p>
238
-    <p></p>
239
-    
240
-    <p><b>Debian:</b></p>
241
-    <p>If you are running Tor on Debian you should read the instructions on
242
-    <a href="<page docs/debian>#packages">importing these keys to apt</a>.</p>
147
+    <p>For <b>Debian</b>, you should read the instructions on <a
148
+    href="<page docs/debian>#packages">importing these keys to
149
+    apt</a>.</p>
243 150
 
244 151
     <p>If you wish to learn more about GPG, see <a
245 152
     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>.</p>
153
+
246 154
   </div>
247 155
   <!-- END MAINCOL -->
248 156
   <div id = "sidecol">