Ticket #9036: verifying-signatures-guide.txt

File verifying-signatures-guide.txt, 1.9 KB (added by ilv, 6 years ago)
1@@@@@@@@@@@@@@@@ IMPORTANT: GUIDE FOR VERIFYING SIGNATURES @@@@@@@@@@@@@@@@@@@@@
3Why should I read this guide?
5Many people have very real adversaries (governments, companies) who might try to
6give them a fake version of the Tor Browser - and it doesn't matter how secure
7and anonymous Tor Browser is if you're not running the real Tor Browser. To make
8sure you have downloaded the right Tor Browser, please follow the steps provided
9in this guide.
13To follow the steps of this guide you will need GnuPG. Most Linux distributions
14come with it preinstalled. If you don't have GnuPG on your system, please
15install it (e.g. sudo apt-get install gnupg).
17When the Tor Browser team releases a new version of Tor Browser, they *sign* the
18.tar.xz file and provide an .asc file with the signature in it. This way, using
19GnuPG and the .asc file you can make sure that you have downloaded the exact file
20they signed, and it was not tampered in anyway.
22For this, you will need to 1) import the key of the Tor Browser team, and 2)
23verify that the Tor Browser downloaded was signed with that key. To do that,
24open a terminal and follow the next steps (assuming that the .tar.xz and .asc
25files are in your home directory):
27 1) $ gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
28 2) $ gpg --verify ~/tor-browser-linux32-4.0.4_en-US.tar.xz{.asc*,}
30 Note: If you downloaded the 64-bit version, change 32 to 64 in step 2).
32If everything is correct, the output of 2) *must* contain the following two
33messages in it:
35 - "Good signature from Tor Browser Developers"
36 - "Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290"
38It's possible that you will see a warning message too. You can ignore this
39warning for the moment, as its meaning goes beyond the purposes of this guide
40and does not imply any sort of risk.