Start cleanup of the verifying signatures pages.
Sebastian Hahn commited on 2009-01-09 12:19:42
Zeige 1 geänderte Dateien mit 9 Einfügungen und 9 Löschungen.
Missing: Jake's key. Also, I don't think people who haven't already heard of PGP will have any idea what is going on here
- en/verifying-signatures.wml a41c053fe..55054f267
| ... | ... |
@@ -20,7 +20,7 @@ know the pgp key, you can't be sure that it was really us who signed it. The |
| 20 | 20 |
signing keys we use are Roger's (0x28988BF5) and Nick's (0x165733EA, or its |
| 21 | 21 |
subkey 0x8D29319A). Some binary packages may also be signed by Andrew's |
| 22 | 22 |
(0x31B0974B), Peter's (0x94C09C7F, or its subkey 0xAFA44BDD), or Matt's |
| 23 |
-(0x5FA14861). See keyserver.noreply.org for details.</p> |
|
| 23 |
+(0x5FA14861).</p> |
|
| 24 | 24 |
|
| 25 | 25 |
<p>You can import keys directly from GnuPG as well:</p> |
| 26 | 26 |
|
| ... | ... |
@@ -65,16 +65,16 @@ sub 4096g/EA654E59 2005-08-17 |
| 65 | 65 |
</pre> |
| 66 | 66 |
|
| 67 | 67 |
<p>(Of course if you want to be really certain that those are the real ones |
| 68 |
-(this wiki could have been tampered with) then you should check this from more |
|
| 69 |
-places or even better get into key signing and build a trust path to those |
|
| 70 |
-keys.)</p> |
|
| 68 |
+then you should check this from more places or even better get into key signing |
|
| 69 |
+and build a trust path to those keys.)</p> |
|
| 71 | 70 |
|
| 72 | 71 |
<p>If you're using GnuPG, then put the .asc and the download in the same |
| 73 |
-directory and type "gpg (whatever).asc". It will say something like "Good |
|
| 74 |
-signature" or "BAD signature" using the following type of command:</p> |
|
| 72 |
+directory and type "gpg --verify (whatever).asc (whatever)". It will say |
|
| 73 |
+something like "Good signature" or "BAD signature" using the following type of |
|
| 74 |
+command:</p> |
|
| 75 | 75 |
|
| 76 | 76 |
<pre> |
| 77 |
-gpg --verify tor-0.1.0.17.tar.gz.asc |
|
| 77 |
+gpg --verify tor-0.1.0.17.tar.gz.asc tor-0.1.0.17.tar.gz |
|
| 78 | 78 |
gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5 |
| 79 | 79 |
gpg: Good signature from "Roger Dingledine <arma@mit.edu>" |
| 80 | 80 |
gpg: aka "Roger Dingledine <arma@mit.edu>" |
| ... | ... |
@@ -88,8 +88,8 @@ Notice that there is a warning because you haven't assigned a trust index to |
| 88 | 88 |
this user. This means that your program verified the key made that signature. |
| 89 | 89 |
It's up to the user to decide if that key really belongs to the developers. The |
| 90 | 90 |
best method is to meet them in person and exchange gpg fingerprints. Keys can |
| 91 |
-also be signed. If you look up arma or nick's keys, other people have |
|
| 92 |
-essentially said "we have verified this is arma/nick". So if you trust that |
|
| 91 |
+also be signed. If you look up Roger or Nick's keys, other people have |
|
| 92 |
+essentially said "we have verified this is Roger/Nick". So if you trust that |
|
| 93 | 93 |
third party, then you have a level of trust for that arma/nick. |
| 94 | 94 |
</p> |
| 95 | 95 |
|
| 96 | 96 |