Browse code

Moved verification instructions from the FAQ to verifying-signatures.

Matt Pagan authored on 13/05/2014 01:25:52
Showing 2 changed files
... ...
@@ -1606,49 +1606,9 @@ href="http://www.crowdstrike.com/community-tools/index.html#tool-79">proposed
1606 1606
     <h3><a class="anchor" href="#VerifyDownload">How do I verify the download
1607 1607
     (sha256sums.txt)?</a></h3>
1608 1608
 
1609
-    <p>You can still verify your Tor Browser download by downloading the
1610
-    signature file (.asc) along with your package and <a
1611
-    href="<page docs/verifying-signatures>">
1612
-    checking the GPG signature</a> as before. We now have an additional
1613
-    verification method that allows you to verify the build as well as
1614
-    the download.</p>
1615
-
1616
-    <ul>
1617
-      <li>Download the Tor Browser package, the sha256sums.txt file, and the
1618
-      sha256sums signature files. They can all be found in the same directory
1619
-      under <a href="https://www.torproject.org/dist/torbrowser/">
1620
-      https://www.torproject.org/dist/torbrowser/</a>, for example in 3.5
1621
-      for TBB 3.5.</li>
1622
-      <li>Retrieve the signers' GPG keys. This can be done from the command
1623
-      line by entering something like
1624
-      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
1625
-      (This will bring you developer Mike Perry's public key. Other
1626
-      developers' key IDs can be found on
1627
-      <a href="<page docs/signing-keys>">this
1628
-      page</a>.)</li>
1629
-      <li>Verify the sha256sums.txt file by executing this command:
1630
-      <pre>gpg --verify &lt;NAME OF THE SIGNATURE FILE&gt;.asc sha256sums.txt</pre></li>
1631
-      <li>You should see a message like "Good signature from &lt;DEVELOPER
1632
-      NAME&gt;". If you don't, there is a problem. Try these steps again.</li>
1633
-      <li>Now you can take the sha256sum of the Tor Browser package. On
1634
-      Windows you can use the <a href="http://md5deep.sourceforge.net/">
1635
-      hashdeep utility</a> and run
1636
-      <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
1637
-      On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.zip</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
1638
-      <li>You will see a string of letters and numbers.</li>
1639
-      <li>Open sha256sums.txt in a text editor.</li>
1640
-      <li>Locate the name of the Tor Browser file you downloaded.</li>
1641
-      <li>Compare the string of letters and numbers to the left of your
1642
-      filename with the string of letters and numbers that appeared
1643
-      on your command line. If they match, you've successfully verified the
1644
-      build.</li>
1645
-    </ul>
1646
-
1647
-    <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">
1648
-    Scripts</a> to <a
1649
-    href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate
1650
-    </a> these steps have been written, but to use them you will need to
1651
-    modify them yourself with the latest Tor Browser Bundle filename.</p>
1609
+    <p>Instructions are on the <a 
1610
+    href="<page docs/verifying-signatures#BuildVerification>">verifying 
1611
+    signatures</a> page.</p>
1652 1612
 
1653 1613
     <hr>
1654 1614
     
... ...
@@ -179,6 +179,63 @@
179 179
     href="http://www.gnupg.org/documentation/">http://www.gnupg.org/documentation/</a>
180 180
     to learn more about GPG.</p>
181 181
 
182
+    <hr>
183
+
184
+    <a id="BuildVerification"></a>
185
+    <h3><a class="anchor" href="#BuildVerification">
186
+    Verifying sha256sums (advanced)</a></h3>
187
+    <hr>
188
+    <p>Build reproducibility is a <a 
189
+       href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">security 
190
+       property</a> of Tor Browser Bundle 3.0 and later. Anyone can build the 
191
+       Tor Browser Bundle on their own machine and produce a binary that is 
192
+       bit-for-bit identical to the binary we offer on the download page. 
193
+       Fortunately, it is not necessary for everyone to build the Tor Browser 
194
+       locally to get this security. Verifying and comparing the signed list 
195
+       of <a href="https://en.wikipedia.org/wiki/Cryptographic_hash">hashes</a> 
196
+       will confirm that multiple people have built Tor Browser Bundles 
197
+       identical to the download.</p>
198
+
199
+      <p>The steps below walk through this process:</p>
200
+
201
+    <ul>
202
+      <li>Download the Tor Browser package, the sha256sums.txt file, and the
203
+      sha256sums signature files. They can all be found in the same directory 
204
+      under <a href="https://www.torproject.org/dist/torbrowser/">
205
+      https://www.torproject.org/dist/torbrowser/</a>, for example in '3.5' 
206
+      for TBB 3.5.</li>
207
+      <li>Retrieve the signers' GPG keys. This can be done from the command 
208
+      line by entering something like 
209
+      <pre>gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC</pre>
210
+      (This will bring you developer Mike Perry's public key. Other 
211
+      developers' key IDs can be found on
212
+      <a href="https://www.torproject.org/docs/signing-keys.html.en">this 
213
+      page</a>.)</li>
214
+      <li>Verify the sha256sums.txt file by executing this command:
215
+      <pre>gpg --verify &lt;NAME OF THE SIGNATURE FILE&gt;.asc sha256sums.txt</pre></li>
216
+      <li>You should see a message like "Good signature from &lt;DEVELOPER 
217
+      NAME&gt;". If you don't, there is a problem. Try these steps again.</li>
218
+      <li>Now you can take the sha256sum of the Tor Browser package. On 
219
+      Windows you can use the <a href="http://md5deep.sourceforge.net/">
220
+      hashdeep utility</a> and run
221
+      <pre>C:\location\where\you\saved\hashdeep -c sha256sum &lt;TOR BROWSER FILE NAME&gt;.exe</pre>
222
+      On Mac or Linux you can run <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.zip</pre> or <pre>sha256sum &lt;TOR BROWSER FILE NAME&gt;.tar.gz</pre> without having to download a utility.</li>
223
+      <li>You will see a string of letters and numbers.</li>
224
+      <li>Open sha256sums.txt in a text editor.</li>
225
+      <li>Locate the name of the Tor Browser file you downloaded.</li>
226
+      <li>Compare the string of letters and numbers to the left of your
227
+      filename with the string of letters and numbers that appeared 
228
+      on your command line. If they match, you've successfully verified the 
229
+      build.</li> 
230
+    </ul>
231
+    
232
+    <p><a href="https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures">Scripts</a> 
233
+    to <a href="http://tor.stackexchange.com/questions/648/how-to-verify-tor-browser-bundle-tbb-3-x">automate</a> 
234
+    these steps have been written, but to use them you will need to modify 
235
+    them yourself with the latest Tor Browser Bundle filename.</p>
236
+    
237
+    <hr>
238
+
182 239
   </div>
183 240
   <!-- END MAINCOL -->
184 241
   <div id = "sidecol">