#30014 closed defect (fixed)

No links to signature files for Tor Browser

Reported by: pf.team Owned by: antonela
Priority: High Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: traumschule Actual Points:
Parent ID: #29901 Points:
Reviewer: Sponsor:


There used to be links to signature files on the download page (https://www.torproject.org/download/), in the new version they're absent. While you can still get these files by adding .asc to the file path, it's not immediately obvious, which kinda runs counter to the whole idea of accessibility, not to mention security. Made even worse by the fact that the instruction to check the signature is still present (https://support.torproject.org//tbb/how-to-verify-signature/), but the link to the signature itself is not.

Child Tickets

Change History (6)

comment:1 Changed 19 months ago by gk

Keywords: signature removed
Parent ID: #29901
Priority: ImmediateHigh
Severity: CriticalNormal

Another less obvious way is to go to https://www.torproject.org/download/languages/...

comment:2 Changed 19 months ago by antonela

Owner: changed from hiro to antonela
Status: newassigned

comment:3 Changed 19 months ago by antonela

Resolution: fixed
Status: assignedclosed

We included signature files for each downloadable version

comment:4 Changed 19 months ago by pf.team

Resolution: fixed
Status: closedreopened

We're grateful that you've added links to signatures on the download page, but we couldn't help but notice that a button labeled "Sig" may be interpreted incorrectly by an inexperienced user, since it simply leads to a page with some unfamiliar symbols on it without any instructions on what to do with them.

To make some sense out of it, said user would have to find a link at the bottom of the downloads page, which is not visible right away on an average screen. Meaning that most users will probably never reach that point, and even if they do, they may not make a connection between this link and all these "Sig" buttons.

The instructions themselves don't say where exactly to obtain these signatures, and don't mention these "Sig" buttons at all. This is also a problem, because unlike the installation files themselves, the "Sig" button does not lead to a file download prompt on an average browser.

If this situation is left "as is", most users will still fail to verify their installation files with the signatures provided. We think that it would be best to do something similar to the old version, where links to installation files for various operating systems were accompanied both by links to signatures and a link to the instructions on how to verify them.

comment:5 Changed 18 months ago by antonela

Thanks! I agree. The verification signature flow is very painful and non intuitive for non technical users. Even the previous version which has the .sig file and the instruction beside it is not helping users who don't know how to open a console.

This version helps users who know what they are looking for.

I opened #30259 to follow this discussion and to find a better flow for doing it. What SimplySecure did at Tails for verification is really good, we could follow that user-centered intention:


This ticket will get closed, since the scope was reached.

comment:6 Changed 18 months ago by antonela

Resolution: fixed
Status: reopenedclosed
Note: See TracTickets for help on using tickets.