Opened 12 months ago

Closed 5 months ago

#31295 closed defect (wontfix)

please server Tor signature files with Content-Disposition that encourages a download rather than inline viewing

Reported by: dkg Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: pili, anarcat Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


When i click on the sig link in (which points to ) i find the OpenPGP signature displayed in the browser directly, rather than being saved to a file.

But the instructions for verifying the OpenPGP signature seem to assume that the signature file has been downloaded as a file.

If you use Content-Disposition you should be able to encourage the web browser to save the signatures as a file in the same way that the installer is a file.

I'm attaching a HAR archive of what my browser (Firefox 68) did when clicking on the sig link, which i think verifies that no Content-Disposition header was sent.

Child Tickets

Attachments (1)

dist.torproject.org_Archive [19-07-30 17-30-21].har.gz (2.2 KB) - added by dkg 12 months ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 12 months ago by dkg

i had to gzip the HAR archive to avoid trac's spamfilter.

comment:2 Changed 12 months ago by anarcat

Component: - Select a componentWebpages/Website
Owner: set to hiro

comment:3 Changed 12 months ago by pili

Cc: pili added

Adding this to my "signature verification issues" list

comment:4 Changed 11 months ago by torlove

Thanks pili.

This does need to be fixed asap. The easier we can make working with such files the better.

comment:5 Changed 11 months ago by sysrqb

Cc: anarcat added

I wonder if this requires a configuration change on the webserver (instead of the webpage or templating). If it is, then the component of this ticket can be changed, too.

comment:6 Changed 11 months ago by anarcat

it seems strange to make people download a text file instead of displaying it. after all, a .asc file is exactly *designed* to be user-readable and transported as text.

if we want users to download a blob, why don't we use the standard extension (as far as such a thing exists) which is .sig?

anarcat@curie:~(master)$ grep pgp /etc/mime.types 
application/pgp-encrypted			pgp
application/pgp-keys				key
application/pgp-signature			sig

(you'll note that .asc is not listed there, interestingly...)

comment:7 Changed 9 months ago by pili

There is also #32479 created

comment:8 Changed 5 months ago by hiro

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.