#17425: Improve GetTor Signature Section --------------------------------------------+------------------------ Reporter: sukhbir | Owner: (none) Type: defect | Status: closed Priority: Medium | Milestone: Component: Applications/GetTor | Version: Severity: Normal | Resolution: fixed Keywords: anti-censorship-roadmap-2020Q1 | Actual Points: Parent ID: #9036 | Points: 1 Reviewer: | Sponsor: --------------------------------------------+------------------------ Changes (by cohosh):
* status: new => closed * resolution: => fixed Comment: This was handled in #23226. Here's the current (OS-specific) signature section: {{{ Step 2: Verify the signature (Optional) Verifying the signature ensures that a certain package was generated by its developers, and has not been tampered with. This email provides links to signature files that have the same name as the Tor Browser file, but end with ".asc" instead. If you run Windows, download Gpg4win and run its installer. In order to verify the signature you will need to type a few commands in windows command- line, cmd.exe. The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290): gpg --auto-key-locate nodefault,wkd --locate-keys torbrow...@torproject.org This should show you something like: gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrow...@torproject.org>" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2014-12-15 [C] [expires: 2020-08-24] EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 uid [ unknown] Tor Browser Developers (signing key) <torbrow...@torproject.org> sub rsa4096 2018-05-26 [S] [expires: 2020-09-12] After importing the key, you can save it to a file (identifying it by fingerprint here): gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290 Next, you will need to download the corresponding ".asc" signature file and verify it with the command: gpgv --keyring .\tor.keyring Downloads\torbrowser- install-9.0.4_ar.exe.asc Downloads\torbrowser-install-9.0.4_ar.exe The result of the command should produce something like this: gpgv: Signature made 07/08/19 04:03:49 Pacific Daylight Time gpgv: using RSA key EB774491D9FF06E2 gpgv: Good signature from "Tor Browser Developers (signing key) <torbrow...@torproject.org>" }}} You can see #23226 for examples of the other operating systems. The signature text will match the platform of the browser download users requested. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17425#comment:11> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs