Opened 6 years ago

Closed 5 years ago

#13273 closed defect (fixed)

Clarify verifying-signatures.html for builds not signed by erinn

Reported by: seeess Owned by:
Priority: Very Low Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords: gpg public key not found
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I downloaded tor-0.2.5.8-rc.tar.gz with the .asc and tried to verify them.

Clicking the "what's this" next to the asc file brings me to https://www.torproject.org/docs/verifying-signatures.html.en

That site is only focused on tor browser builds and says
"Erinn Clark signs the Tor Browser Bundles. Import her key..."

I must've missed the "tor browser" part and assumed erinn signed all builds. Following the instructions gives me

gpg --verify tor-0.2.5.8-rc.tar.gz.asc tor-0.2.5.8-rc.tar.gz
gpg: Signature made Tue 23 Sep 2014 01:47:29 AM UTC using RSA key ID 19F78451
gpg: Can't check signature: public key not found

The problem is it looks like roger signs the alpha builds. I figured this out googling around and finding https://www.torproject.org/docs/signing-keys.html

Suggested fix:
Mention the "public key not found" error on verifying-signatures.html, instruct users to download roger's key.

and/or have a different "what's this" page linked next to the alpha builds (and anything else erinn doesn't sign)

Child Tickets

Change History (1)

comment:1 Changed 5 years ago by Sebastian

Resolution: fixed
Severity: Normal
Status: newclosed

The page got a major rework in the meantime, maybe it's better now

Note: See TracTickets for help on using tickets.