#27278 closed defect (user disappeared)

Bad Instruction Page

Reported by: TormanToo Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The page at https://www.torproject.org/docs/debian.html.en does not work on Xubuntu 16. It should begin commands with sudo. Also, someone needs to go thru it and see that the outcome is full of errors.

Thank you.

Child Tickets

Change History (27)

comment:1 Changed 10 months ago by teor

What is "the outcome"?

The browser log, or the terminal after running the commands?

comment:2 Changed 10 months ago by TormanToo

I chose Option Two then I selected Ubuntu Xenial Xerus 16.04LTS. There is a whole litany of issues.

  1. I manually added the two lines to the /etc/apt/sources.list file.
  1. Then I tried apt install apt-transport-https. I got these results:

E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

The writer forgot sudo. But tried that and got:
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.2.27)
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

  1. Next it says, to use Apt with Tor later replace https:// with tor:// and run apt install apt-transport-tor. Why doesn't it just say to do that to begin with? There is no explanation.

apt install apt-transport-tor

E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

The writer forgot sudo again. Tried with it and got:
Building dependency tree
Reading state information... Done
The following additional packages will be installed;

tor tor-geioipdb torsocks

Suggested packages:

mixmaster torbrowser-launcher socat tor-arm apparmor-utils obfs4proxy

The following NEW packages will be installed:

apt-transport-tor tor tor-geoipbd torsocks

0 upgraded, 4 newly installed, 0 to remove and 1 not upgraded.
E: The method driver /usr/lib/apt/methods/tor could not be found.

  1. Attempting to add the two keys causes errors also.

gpg --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: no keyserver known (use opton --keyserver)
gpg: keyserver receive failed: bad URI

So I tried:
gpg --recv --keyserver A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
I got the prompt back, so I guess something happened.

Next I tried:
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
gpg: can't open '/home/me/.gnupg/pubring.gpg'
gpg: WARNING: nothing exported
gpg: key export failted: file open error
gpg:no valid OpenPGP data found.

So then I tried:
sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.

  1. "You can install it with the following commands:" Install what????
  1. apt update:

Forgot sudo again.
sudo apt update
.....
.....
E: The method driver /usr/lib/apt/methods/tor could not be found.
.....
.....

Another forgotten sudo, but running:
sudo apt install tor deb.torproject.org-keyring
This got the normal responses, plus ended with:
E: The method driver /usr/lib/apt/methods/tor could not be found.

But after all this, Tor was still not showing up on any menu.

  1. No one did any proof reading to the line, "deb.torproject.org is also served through now also served via onion service: http://sdscoq7snqtznauu.onion/". It's also missing punctuation.
  1. "To use the onion service..." What?????

Proof read and test!!!!

comment:3 in reply to:  2 ; Changed 10 months ago by teor

Replying to TormanToo:

I chose Option Two then I selected Ubuntu Xenial Xerus 16.04LTS. There is a whole litany of issues.

  1. I manually added the two lines to the /etc/apt/sources.list file.
  1. Then I tried apt install apt-transport-https. I got these results:

E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

The writer forgot sudo.

Sometimes we assume that sysadmins understand which commands need root on their machine, and which root method they use (sudo, su, or ssh root@...).

We can add a note at the top, and add sudo to the commands that need root.

But tried that and got:
Reading package lists... Done
Building dependency tree
Reading state information... Done
apt-transport-https is already the newest version (1.2.27)
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

That's not an error, that's a normal status message on distributions that come with apt-transport-https.

  1. Next it says, to use Apt with Tor later replace https:// with tor:// and run apt install apt-transport-tor. Why doesn't it just say to do that to begin with? There is no explanation.

Because you have to install tor and apt-transport-tor using apt-transport-https to use apt-transport-tor.

apt install apt-transport-tor

E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

The writer forgot sudo again.

Ok, we'll add sudo to the commands.

Tried with it and got:
Building dependency tree
Reading state information... Done
The following additional packages will be installed;

tor tor-geioipdb torsocks

Suggested packages:

mixmaster torbrowser-launcher socat tor-arm apparmor-utils obfs4proxy

The following NEW packages will be installed:

apt-transport-tor tor tor-geoipbd torsocks

0 upgraded, 4 newly installed, 0 to remove and 1 not upgraded.
E: The method driver /usr/lib/apt/methods/tor could not be found.

You can't use tor:// URLs to install apt-transport-tor. You have to install tor and apt-transport-tor using apt-transport-https to use apt-transport-tor.

  1. Attempting to add the two keys causes errors also.

gpg --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: no keyserver known (use opton --keyserver)
gpg: keyserver receive failed: bad URI

So I tried:
gpg --recv --keyserver A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
I got the prompt back, so I guess something happened.

Hmm, "--keyserver A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89" is probably your "gpg: keyserver receive failed: bad URI".

We should add the sks high availability pool URL to the instructions.

Next I tried:
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
gpg: can't open '/home/me/.gnupg/pubring.gpg'
gpg: WARNING: nothing exported
gpg: key export failted: file open error
gpg:no valid OpenPGP data found.

The keyserver step failed, so key export won't work.

So then I tried:
sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.

The keyserver step failed, so key export won't work.

  1. "You can install it with the following commands:" Install what????
  1. apt update:

Forgot sudo again.

Ok, we'll add it.

sudo apt update
.....
.....
E: The method driver /usr/lib/apt/methods/tor could not be found.

You can't use tor:// URLs to install apt-transport-tor. You have to install tor and apt-transport-tor using apt-transport-https to use apt-transport-tor.

.....
.....

Another forgotten sudo,

Ok, we'll add it.

but running:
sudo apt install tor deb.torproject.org-keyring
This got the normal responses, plus ended with:
E: The method driver /usr/lib/apt/methods/tor could not be found.

You can't use tor:// URLs to install apt-transport-tor. You have to install tor and apt-transport-tor using apt-transport-https to use apt-transport-tor.

But after all this, Tor was still not showing up on any menu.

The dependencies aren't installed.

  1. No one did any proof reading to the line, "deb.torproject.org is also served through now also served via onion service: http://sdscoq7snqtznauu.onion/". It's also missing punctuation.
  1. "To use the onion service..." What?????

Proof read and test!!!!

People have different English skill levels, access to different distributions, and different sysadmin skill levels.

Please be patient while we update our documentation.

comment:4 Changed 10 months ago by TormanToo

First of all, that page does not say it is only for sysadmins. I would think that Tor people would know that, since they promote Tor for everyone's use. This is the only place the average user can find to tell them how to install it. However, it is not clear, as you can see. So leaving out sudo was a bonehead mistake.

Computers are all about details and being perfect in what is entered. Any mistake and the whole process is garbage.

Further, you have got to explain things to the user and make sure that the correct steps work. Regardless of who is doing it, this was specifically for the user of Ubuntu and its various flavors, and so it should have been tested only on that sort of platform. There can be on generalities allowed in instructions.

As you can see, I am being very patient. Certainly this is clearly indicated by my very detailed report to you. But of course, I'm glad to help the FOSS industry that I love.

Once you get the instructions written out correctly, I will be glad to test them again for you.

comment:5 Changed 10 months ago by TormanToo

Here's another tip. If someone is testing and writing the steps in a non-English language, that's fine. No problem. One must get another expert English speaker to translate. Test and then translate. No biggie.

comment:6 Changed 10 months ago by traumschule

Hi TormanToo, thanks for testing!

Which version of gpg are you using? Modern gpg versions (2.1 and above) use a preconfigured keyservers.

I left out sudo on purpose because not all systems are configured to use sudo for security reasons. Can you test the guide again with following advice in mind:

Following apt commands expect to be run as root, please either open a
root terminal with sudo su or su. Note that
the first commands asks for your user password, the second for the root
password of your system.

To add Tor's signing key gpg key to apt, either all commands must be run with sudo or all in in a root terminal. Can you try to run this in a root console:

gpg --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

comment:7 Changed 10 months ago by TormanToo

Version 1.4.20

By the way, tell people to type gpg --version on the command line.

If you go back over all of my post in detail, you will see that I tried each command as they were written and then again with sudo as a prefix.

comment:8 Changed 10 months ago by traumschule

good you are back and you are right, i should have told you that command.

Now gpg 1.4 is pretty old and should be updated. Which verison of ubuntu are you using?
Can you please do this : sudo apt install gpg
It should update gpg to version 2.1.

If you happen to use a current Tor Browser you should be able to load the updated version of the guide at http://yslc6nb5fftewvbmxlkdm3h3b42feesug7qebc2a42xsgeesp4llkayd.onion/docs/debian.html

Please tell me how that works for you!

comment:9 Changed 10 months ago by traumschule

sorry, i meant sudo apt install gnupg2 - should be available for you down to trusty

comment:10 Changed 10 months ago by TormanToo

I am using Xubuntu 16.04.

Why not just suggest the use of sudo by itself?

comment:11 Changed 10 months ago by TormanToo

I'm still laughing at my results. Check this out:
Reading package lists... Done
Building dependency tree
Reading state information... Done
gnupg2 is already the newest version (2.1.11-6ubuntu2.1)
The following packages were automatically installed are not longer required:

linux-headers-4.13.0-36 linux-headers-4.13.0-36-generic linux-image-4.13.0-236-generic linux-image-extra-4.13.0-36-generic

Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

It appears that I had originally asked the wrong question in trying to find out the version. Did you notice that?

comment:12 Changed 10 months ago by TormanToo

Following your new instructions, everything worked up to the keys. Then I got the same errors as before.

comment:13 Changed 10 months ago by traumschule

Hi TormanToo,

Following your new instructions, everything worked up to the keys. Then I got the same errors as before.

When reporting errors please always paste the command you executed along with the whole output. Developers can only help if a user tells the expected outcome and what happened instead.

If gpg --version still shows 1.4, use gpg2 instead. Otherwise you need to add the --keyserver option (see at the head of the updated guide).

I am using Xubuntu 16.04.

That's fine.

Why not just suggest the use of sudo by itself?

sudo is a security risk because it allows privilege escalation from user to root. For example if you used sudo in the last minutes and execute another (unsafe) command on the same shell, it can take advantage of the left-over privilege. It's like leaving open a root console. Also if someone gets the password of a user that has full sudo privileges, then they can become root and take over your system. More here
Another risk on systems using Xorg is that any running application eavesdrop on the keys you enter.
Hence there are systems without sudo installed and the guide would not work for them. Also note that every command you execute with sudo is logged in /var/log/auth.log.
The better approach is to create ssh keys with ssh-keygen and add one's public key in ~/.ssh/id_rsa.pub to /root/.ssh/authorized_keys.
However I know there are different philosophies and Ubuntu promotes sudo quite much and if you are fine using sudo just replace '#' in the guide with sudo.

Good luck!

comment:14 Changed 10 months ago by TormanToo

.. please always paste the command you executed along with the whole output

I did. See above. You must stay focused. Nothing has changed. If it had, I would have clearly stated that.

Ifgpg --versionstill shows 1.4, use gpg2 instead. Otherwise you need to add the --keyserver option (see at the head of the updated guide).

Again, you should see the previous posts. It is very clear that one was version 1.4.20 and the other was version 2.1.11-6ubuntu2.1. Hopefully you can grasp that the first one was gpg and the second one was gpg2.

However I know there are different philosophies and Ubuntu promotes sudo quite much and if you are fine using sudo just replace '#' in the guide with sudo.

So then put your reasoning in the explanation because the user does not know these things. I cannot emphacize enough that you must explain everything. And put sudo in the list too.

comment:15 Changed 10 months ago by TormanToo

By the way, the editing window does not work correctly. It fails to show line feeds even though extra lines were inserted after quotations.

It makes everything run together making finding things too difficult.

Last edited 10 months ago by TormanToo (previous) (diff)

comment:16 Changed 10 months ago by traumschule

I can't help you with gpg 1.4 if you do not follow the guide.

comment:17 Changed 10 months ago by TormanToo

I never said I needed help with pgp 1.4. It was your instructions, or lack thereof, that caused the problem. You must tell people what you need to get Tor installed. Plain and simple.

Please go back to comment 3 above and start again.

Last edited 10 months ago by TormanToo (previous) (diff)

comment:18 Changed 10 months ago by TormanToo

I must point out that it always makes me laugh when people ask what I did or why I did something when I was just following their instructions.

If someone types in something incorrectly, then point it out.  But if not, fix your directions. Trying to switch the responsibility of bad directions or programming to the users is always wrong.

comment:19 Changed 10 months ago by traumschule

Hi TormanToo,

gpg --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: no keyserver known (use opton --keyserver)
gpg: keyserver receive failed: bad URI

So I tried:
gpg --recv --keyserver A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
I got the prompt back, so I guess something happened.

Try gpg2 --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 or sudo gpg --keyserver pool.sks-keyservers.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 or have a look at

https://tor.stackexchange.com/questions/12916/problem-with-tor-and-gpg-key or 
https://superuser.com/questions/715067/tor-dependency-package-error-on-debian-wheezy or
https://ooni.torproject.org/docs/ or 
https://fabianlee.org/2017/09/23/ubuntu-installing-tor-on-ubuntu-14-04-and-16-04/if or
https://medium.com/@jasonrigden/how-to-host-a-site-on-the-dark-web-38edf00996bf or
https://www.linux.com/blog/beginners-guide-tor-ubuntu 

if you want.

It's funny how many useful pages pop up searching for this key id.

Alternatively one can try to search for a key on a keyserver with a web interface and download the key from there (note the 0x before the key id):
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89

  • Then you right click the link to the public key (not the summary peach)
  • copy it
  • go to your terminal
  • type 'wget -O - ' and paste the link, then continue typing ' | sudo apt-key add -
  • or just download the key with wget and sudo apt-key add FILE (replace FILE with the file name reported by wget)
  • if that gives OK, proceed with the rest of the guide

(got the inspiration from https://bitmask.net/en/install/linux)
or

  • show the key in the browser
  • press CTRL+a and CTRL+c
  • type into the terminal: gpg --import<enter> CTRL+V and CTRL+D

or

  • paste the copied key into a FILE and do gpg --import FILE

or

  • choose save as in the browser (i guess you get the idea)
Next I tried:
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
gpg: can't open '/home/me/.gnupg/pubring.gpg'
gpg: WARNING: nothing exported
gpg: key export failted: file open error
gpg:no valid OpenPGP data found.

So then I tried:
sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.

The second step only works of the first succeeded.

If that worked for you, i'm interested what you think of this page:
https://www.torproject.org/docs/verifying-signatures.html.en

Other good reads:

  • riseup.net/en/security/message-security/openpgp/gpg-best-practices
  • riseup.net/en/security/network-security/riseup-ca#import-riseups-public-pgp-key

comment:20 Changed 10 months ago by traumschule

Priority: Very HighMedium
Status: newneeds_information

after changes got merged nothings seems to be done here. waiting for an answer by the user if the current guide is ok or if anything is missing.

comment:21 Changed 10 months ago by TormanToo

"Try gpg2 --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89orsudo gpg --keyserver pool.sks-keyservers.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89"
Your first command returned:
gpg: keybox '/home/ace/.gnupg/pubring.kbx' created
gpg: keyserver receive failed: No keyserver available

Your second command returned:
gpg: requesting key 886DDD89 from hkp server pool.sks-keyservers.net
gpg: /home/ace/.gnupg/trustdb.gpg: trustdb created
gpg: key 886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

Now that looks promising.

"It's funny how many useful pages pop up searching for this key id.

Alternatively one can try to search for a key on a keyserver with a web interface and download the key from there (note the 0x before the key id):
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xA3C4F0F979CADBA8F512EE8CBC9E886DDD89"

Oh, I'm sorry. I thought you guys knew how to install Tor on Ubuntu. I guess you're just playing around with this page.

But then that makes me question why you even bother posting the page. Why not just tell your users to go fish?

On the other hand, if you're done playing around, then stick to the subject. I am testing your documented instructions, I'm not doing your research. Get that done. Let me know when you rewrite the instruction page, and I'll test again.

Last edited 10 months ago by TormanToo (previous) (diff)

comment:22 Changed 10 months ago by traumschule

Workflow is usually that those reporting issues to improve the Webpages are not the same as those updating the html files. Why don't you try to write sentences that should be added to make the guide more useful for Ubuntu.

comment:23 Changed 10 months ago by TormanToo

You really don't get that? If that is so, I guess I'm done here.

comment:24 in reply to:  3 Changed 10 months ago by arma

Replying to teor:

Sometimes we assume that sysadmins understand

It would probably be smart to say, at the top of the https://www.torproject.org/docs/debian page, that most users will want to get Tor Browser, and not do the instructions on this page. This page is for expert users who want to install the Tor deb, which is not what most users should want to do.

comment:25 in reply to:  6 Changed 10 months ago by arma

Replying to traumschule:

Can you try to run this in a root console:

gpg --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

In the past we worked hard to only get the key into the keyring of $USER, not of root. Doing the recv-key as root means root will make a keyring, which might be surprising in some way. I guess it's not a huge deal, but I wanted to provide some historical perspective. :)

comment:26 Changed 10 months ago by traumschule

Thanks for this perspective. Ideally i'd like to get our expert guides sudo free because it is setup specific and except the compilation part there's near to nothing that does not require admin privileges. To avoid creation of /root/.gnupg the --no-option is promoted, but it did not pass my test. In the end I am in favor of curling the key from tpo.

--no-options

Shortcut for --options /dev/null. This option is detected before an attempt to open an option file. Using this option will also prevent the creation of a ‘~/.gnupg’ homedir.

At first this seemed to work:

# gpg2 --no-options --auto-key-locate keyserver --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89|apt-key add -
OK

But when I removed /root/.gnupg:

# gpg2 --no-options --auto-key-locate keyserver --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89                                                             
gpg: keyblock resource '/root/.gnupg/pubring.kbx': No such file or directory
gpg: WARNING: nothing exported

#5996 comes to mind

comment:27 Changed 10 months ago by traumschule

Resolution: user disappeared
Status: needs_informationclosed
Note: See TracTickets for help on using tickets.