On Mon, Dec 12, 2016 at 10:48:46AM -0500, Tor-talk wrote: > Reading through this: > https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification > > Trying to do this on Mac OS X. > > `shasum -a 256 <tor browser distro>.dmg` clearly gives me a checksum that > doesn't match the one in the "sha256sums-unsigned-build.txt" file. Tried it > with 6.0.6 and 6.0.7. > > From what I understand, if the PGP signature is valid that confirms the > package wasn't tampered with. > > But it is confusing and disturbing to a newbie to try this and get a > mismatched checksum. Please modify these instructions so it's clear what this > process is and what you have to do to get it to work because it doesn't work > "out of the box" for Mac OS X. > > Thanks-- > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
I had to ask the guys on the IRC myself. The hashes don't match because they were created before Apple does their code signing. Hence the "unsigned-build" in the filename. If you want to verify Windows/OS X builds, you can only use the individual .asc signatures as described in the paragraphs above. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk