Opened 5 years ago

Closed 7 months ago

#17425 closed defect (fixed)

Improve GetTor Signature Section

Reported by: sukhbir Owned by:
Priority: Medium Milestone:
Component: Applications/GetTor Version:
Severity: Normal Keywords: anti-censorship-roadmap-2020Q1
Cc: mrphs, ilv, cohosh Actual Points:
Parent ID: #9036 Points: 1
Reviewer: Sponsor:


The current GetTor reply we decided earlier was (and which is currently deployed):

SHA256 of Tor Browser 32/64-bit (advanced): 443b38f4aa1194125ca3c79157272d5c64006928c9128127788c1cdefa642d85
Fingerprint of key used to sign Tor Browser (advanced): 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

We can do better. If you see ticket:9036#comment:16, we will be introducing a new section on signatures and verification of the bundles. This is tricky since on one hand we want users to verify the bundles they downloaded, but on the other, it's not always easy to do so. This ticket will focus on what the text should look like and how we should ensure that users are easily able to verify the bundles.

(It's easier said than done and it's not like we are the first ones trying to solve this problem but we should focus on it from GetTor's context to narrow it down.)

Child Tickets

Change History (11)

comment:1 Changed 5 years ago by ilv

I think the signatures section in the body message should have the minimum information needed to check the integrity of the files, otherwise the message will be TLDR. For the purpose of teaching end users how to do that, I think the best option would be to attach one or two guides. I wrote a proposal for verifying signatures here. What do you think of this idea?

comment:2 Changed 5 years ago by sukhbir

I agree that the main body should have very little information. Though we want that people should verify the bundles, we realize that this easier said than done.

I guess your idea about the guide is probably the best way to go forward. We should work on improving its text.

Last edited 5 years ago by sukhbir (previous) (diff)

comment:3 in reply to:  2 Changed 5 years ago by ilv

Replying to sukhbir:

I guess your idea about the guide is probably the best way to go forward. We should work on improving its text.

Yes, and as you know, English is not my mother tongue, so some sentences might not sound natural to common people. In the dev meeting someone advised me that all gettor messages should be reviewed by a native English speaker :)

comment:4 Changed 18 months ago by gaba

Keywords: gettor-roadmap added
Owner: ilv deleted
Sponsor: Sponsor19
Status: newassigned

comment:5 Changed 17 months ago by gaba

Keywords: ex-sponsor-19 added

Adding the keyword to mark everything that didn't fit into the time for sponsor 19.

comment:6 Changed 17 months ago by gaba

Keywords: ex-sponsor19 added
Sponsor: Sponsor19

Remove sponsor 19 and add a keyword ex-sponsor19 to mark all the tickets that could have been in the scope of the sponsor.

comment:7 Changed 12 months ago by cohosh

Cc: cohosh added

cc'ing cohosh on open GetTor tickets.

comment:8 Changed 9 months ago by cohosh

Points: 1

comment:9 Changed 9 months ago by gaba

Keywords: anti-censorship-roadmap-2020Q1 added; gettor-roadmap ex-sponsor-19 ex-sponsor19 removed

comment:10 Changed 8 months ago by teor

Status: assignednew

Change tickets that are assigned to nobody to "new".

comment:11 Changed 7 months ago by cohosh

Resolution: fixed
Status: newclosed

This was handled in #23226. Here's the current (OS-specific) signature section:

Step 2: Verify the signature (Optional)

	Verifying the signature ensures that a certain package was generated by its
	developers, and has not been tampered with.  This email provides links to signature
	files that have the same name as the Tor Browser file, but end with ".asc" instead.

	If you run Windows, download Gpg4win and run its installer. In order to verify the
	signature you will need to type a few commands in windows command-line, cmd.exe.

	The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers
	signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):

		gpg --auto-key-locate nodefault,wkd --locate-keys

	This should show you something like:

		gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <>" imported
		gpg: Total number processed: 1
		gpg:               imported: 1
		pub   rsa4096 2014-12-15 [C] [expires: 2020-08-24]
		uid           [ unknown] Tor Browser Developers (signing key) <>
		sub   rsa4096 2018-05-26 [S] [expires: 2020-09-12]

	After importing the key, you can save it to a file (identifying it by fingerprint here):

		gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

	Next, you will need to download the corresponding ".asc" signature file and verify it
	with the command:

		gpgv --keyring .\tor.keyring Downloads\torbrowser-install-9.0.4_ar.exe.asc Downloads\torbrowser-install-9.0.4_ar.exe

	The result of the command should produce something like this:

		gpgv: Signature made 07/08/19 04:03:49 Pacific Daylight Time
		gpgv:                using RSA key EB774491D9FF06E2
		gpgv: Good signature from "Tor Browser Developers (signing key) <>"

You can see #23226 for examples of the other operating systems. The signature text will match the platform of the browser download users requested.

Note: See TracTickets for help on using tickets.