Move the "Verifying Singatures" page from the Wiki to the website.
Sebastian Hahn commited on 2009-01-09 12:19:35
Zeige 1 geänderte Dateien mit 117 Einfügungen und 0 Löschungen.
- en/verifying-signatures.wml 000000000..a41c053fe
| ... | ... |
@@ -0,0 +1,117 @@ |
| 1 |
+## translation metadata |
|
| 2 |
+# Revision: $Revision$ |
|
| 3 |
+# Translation-Priority: 3-medium |
|
| 4 |
+ |
|
| 5 |
+#include "head.wmi" TITLE="Verifying Signatures" CHARSET="UTF-8" |
|
| 6 |
+ |
|
| 7 |
+<div class="main-column"> |
|
| 8 |
+ |
|
| 9 |
+<h2>Verifying signatures on released files</h2> |
|
| 10 |
+<hr /> |
|
| 11 |
+ |
|
| 12 |
+<p>Each file on <a href="<page download>">our download page</a> is accompanied |
|
| 13 |
+by a file with the same name and the extension ".asc".</p> |
|
| 14 |
+ |
|
| 15 |
+<p>These are PGP signatures, so you can verify that the file you've downloaded |
|
| 16 |
+is exactly the one that we intended you to get.</p> |
|
| 17 |
+ |
|
| 18 |
+<p>Of course, you'll need to have our pgp keys in your keyring: if you don't |
|
| 19 |
+know the pgp key, you can't be sure that it was really us who signed it. The |
|
| 20 |
+signing keys we use are Roger's (0x28988BF5) and Nick's (0x165733EA, or its |
|
| 21 |
+subkey 0x8D29319A). Some binary packages may also be signed by Andrew's |
|
| 22 |
+(0x31B0974B), Peter's (0x94C09C7F, or its subkey 0xAFA44BDD), or Matt's |
|
| 23 |
+(0x5FA14861). See keyserver.noreply.org for details.</p> |
|
| 24 |
+ |
|
| 25 |
+<p>You can import keys directly from GnuPG as well:</p> |
|
| 26 |
+ |
|
| 27 |
+<pre>gpg --keyserver subkeys.pgp.net --recv-keys 0x28988BF5</pre> |
|
| 28 |
+ |
|
| 29 |
+<p>or search for keys with</p> |
|
| 30 |
+ |
|
| 31 |
+<pre>gpg --keyserver subkeys.pgp.net --search-keys |
|
| 32 |
+0x28988BF5</pre> |
|
| 33 |
+ |
|
| 34 |
+<p>and when you select one, it will be added to your keyring.</p> |
|
| 35 |
+ |
|
| 36 |
+<p>The fingerprints for the keys should be:</p> |
|
| 37 |
+ |
|
| 38 |
+<pre> |
|
| 39 |
+pub 1024D/28988BF5 2000-02-27 |
|
| 40 |
+ Key fingerprint = B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5 |
|
| 41 |
+uid Roger Dingledine <arma@mit.edu> |
|
| 42 |
+ |
|
| 43 |
+pub 3072R/165733EA 2004-07-03 |
|
| 44 |
+ Key fingerprint = B35B F85B F194 89D0 4E28 C33C 2119 4EBB 1657 33EA |
|
| 45 |
+uid Nick Mathewson <nickm@alum.mit.edu> |
|
| 46 |
+uid Nick Mathewson <nickm@wangafu.net> |
|
| 47 |
+uid Nick Mathewson <nickm@freehaven.net> |
|
| 48 |
+ |
|
| 49 |
+pub 1024D/31B0974B 2003-07-17 |
|
| 50 |
+ Key fingerprint = 0295 9AA7 190A B9E9 027E 0736 3B9D 093F 31B0 974B |
|
| 51 |
+uid Andrew Lewman (phobos) <phobos@rootme.org> |
|
| 52 |
+ |
|
| 53 |
+pub 1024D/94C09C7F 1999-11-10 |
|
| 54 |
+ Key fingerprint = 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F |
|
| 55 |
+uid Peter Palfrader |
|
| 56 |
+uid Peter Palfrader <peter@palfrader.org> |
|
| 57 |
+uid Peter Palfrader <weasel@debian.org> |
|
| 58 |
+ |
|
| 59 |
+pub 1024D/5FA14861 2005-08-17 |
|
| 60 |
+ Key fingerprint = 9467 294A 9985 3C9C 65CB 141D AF7E 0E43 5FA1 4861 |
|
| 61 |
+uid Matt Edman <edmanm@rpi.edu> |
|
| 62 |
+uid Matt Edman <Matt_Edman@baylor.edu> |
|
| 63 |
+uid Matt Edman <edmanm2@cs.rpi.edu> |
|
| 64 |
+sub 4096g/EA654E59 2005-08-17 |
|
| 65 |
+</pre> |
|
| 66 |
+ |
|
| 67 |
+<p>(Of course if you want to be really certain that those are the real ones |
|
| 68 |
+(this wiki could have been tampered with) then you should check this from more |
|
| 69 |
+places or even better get into key signing and build a trust path to those |
|
| 70 |
+keys.)</p> |
|
| 71 |
+ |
|
| 72 |
+<p>If you're using GnuPG, then put the .asc and the download in the same |
|
| 73 |
+directory and type "gpg (whatever).asc". It will say something like "Good |
|
| 74 |
+signature" or "BAD signature" using the following type of command:</p> |
|
| 75 |
+ |
|
| 76 |
+<pre> |
|
| 77 |
+gpg --verify tor-0.1.0.17.tar.gz.asc |
|
| 78 |
+gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5 |
|
| 79 |
+gpg: Good signature from "Roger Dingledine <arma@mit.edu>" |
|
| 80 |
+gpg: aka "Roger Dingledine <arma@mit.edu>" |
|
| 81 |
+gpg: WARNING: This key is not certified with a trusted signature! |
|
| 82 |
+gpg: There is no indication that the signature belongs to the owner. |
|
| 83 |
+Primary key fingerprint: B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5 |
|
| 84 |
+</pre> |
|
| 85 |
+ |
|
| 86 |
+<p> |
|
| 87 |
+Notice that there is a warning because you haven't assigned a trust index to |
|
| 88 |
+this user. This means that your program verified the key made that signature. |
|
| 89 |
+It's up to the user to decide if that key really belongs to the developers. The |
|
| 90 |
+best method is to meet them in person and exchange gpg fingerprints. Keys can |
|
| 91 |
+also be signed. If you look up arma or nick's keys, other people have |
|
| 92 |
+essentially said "we have verified this is arma/nick". So if you trust that |
|
| 93 |
+third party, then you have a level of trust for that arma/nick. |
|
| 94 |
+</p> |
|
| 95 |
+ |
|
| 96 |
+<p>All this means is you can ignore the message or assign a trust level.</p> |
|
| 97 |
+ |
|
| 98 |
+<p>For your reference, this is an example of a <em>BAD</em> verification. It |
|
| 99 |
+means that the signature and file contents do not match:</p> |
|
| 100 |
+ |
|
| 101 |
+<pre> |
|
| 102 |
+gpg --verify tor-0.1.0.17.tar.gz.asc |
|
| 103 |
+gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5 |
|
| 104 |
+gpg: BAD signature from "Roger Dingledine <arma@mit.edu>" |
|
| 105 |
+</pre> |
|
| 106 |
+ |
|
| 107 |
+<p>If you see a message like the above one, then you should not have any trust |
|
| 108 |
+in the file contents.</p> |
|
| 109 |
+ |
|
| 110 |
+<p>If you are running Tor on Debian you should read the instructions on |
|
| 111 |
+<a |
|
| 112 |
+href="https://wiki.torproject.org/noreply/TheOnionRouter/TorOnDebian">importing |
|
| 113 |
+these keys to apt</a>.</p> |
|
| 114 |
+ |
|
| 115 |
+</div><!-- #main --> |
|
| 116 |
+ |
|
| 117 |
+#include <foot.wmi> |
|
| 0 | 118 |