Opened 8 weeks ago

Last modified 7 weeks ago

#31896 assigned defect

Bad instructions in Support Portal, "How can I verify Tor Browser's signature?", discourage, deter, and prevent users on macOS from verifying the Signature of downloaded Tor Browser packages

Reported by: monmire Owned by: pili
Priority: High Milestone:
Component: Webpages/Support Version:
Severity: Normal Keywords: Support Portal bad instructions increase chance of users on macOS receiving a Tor Browser package containing corrupted files and/or malware - issue
Cc: ggus Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Platform: Tor Browser 8.5.5 on macOS Mojave 10.14.6

Users on macOS who rely solely on and adhere to the crucial Support Portal instructions currently appearing in How can I verify Tor Browser's signature? never will be able to use the Tor Browser Developer's signing key to verify the Signature of a downloaded Tor Browser package.

"How can I verify Tor Browser's signature?" instructions contain misinformed, inaccurate, and incomplete instructions for users on macOS needing to use the Tor Developer's Signing key (".asc" file) to verify the Signature of a downloaded Tor Browser package (".dmg" file).

The crucial "How can I verify Tor Browser's signature?" instructions for users on Windows and GNU/Linux to verify the Signature of a downloaded Tor Browser package DO NOT WORK for users on macOS.

The current "How can I verify Tor Browser's signature?" documentation instructs users on macOS, Windows, and GNU/Linux, to enter a command with gpgv --keyring ./tor.keyring in the command line, and the command looks something like the following command to verify the Signature of a downloaded Tor Browser package, but a command with gpgv --keyring ./tor.keyring in the command line DOES NOT WORK for users on macOS:

gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-8.5.4-osx64_en-US.dmg{.asc,}


For users on macOS, the preceding command or other similar command using gpgv --keyring ./tor.keyring in the command line returns the following message:

gpgv: keyblock resource './tor.keyring': No such file or directory
gpgv: no valid OpenPGP data found.
gpgv: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.


For users on macOS, attempts to verify the Signature of a downloaded Tor Browser package by using gpgv --keyring .\tor.keyring in the command line will fail.

For users on macOS, the gpg --verify command must appear in the command line for verification of the Signature of a downloaded Tor Browser package to be successful. The example below assumes the user has downloaded the Tor Browser package (".dmg") file and the PGP Signature (".asc") file to the "Downloads" folder.

Users on macOS use the command with the following form, and gpg --verify appears in the command line to verify the Signature of a downloaded Tor Browser package:

gpg --verify ~/Downloads/TorBrowser-8.5.5-osx64_en-US.dmg.asc /Downloads/TorBrowser-8.5.5-osx64_en-US.dmg

For users on macOS, the TorBrowser-8.5.5-osx64_en-US.dmg.asc entry must precede the TorBrowser-8.5.5-osx64_en-US.dmg entry on the command line; the preceding command successfully verifies the Signature of the downloaded Tor Browser package by returning the following message:


gpg: Signature made Tue Sep 3 06:07:30 2019 PDT
gpg: using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"


"How can I verify Tor Browser's signature?" instructions should be edited accordingly and should have the additional instructions below necessary for users on macOS relying solely on "How can I verify Tor Browser's signature?" instructions to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.


In the subsection "Fetching the Tor Developers key" in "How can I verify Tor Browser's signature?, the content should present something like the following instructions for the benefit of all users on macOS:

The Tor Browser team signs Tor Browser releases.

Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):

gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

After importing the Tor Browser Developers signing key, users can take the additional step of saving it to a file by entering the following command:

gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

On macOS, by default, the preceding export command saves the Tor Browser Developers key in the following file:

~/Users/<user name>/tor.keyring


For users on macOS, the subsection "Verifying the signature" in "How can I verify Tor Browser's signature?" contains misinformed and incomplete instructions. These instructions should be edited for the benefit of users on macOS and should include the additional instructions below, crucial for users on macOS relying solely on "How can I verify Tor Browser's signature?" instructions to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.

The "Verifying the signature" subsection presently contains the following information, which confusingly applies the information to users on Windows, GNU/Linux, and macOS, but in reality the information does not apply accurately to users on macOS:

Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc"


The preceding inaccurate information causes confusion for users on macOS and acts as a deterrent and a stumbling block for users on macOS, thereby discouraging, thwarting, or preventing users on macOS from using the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.

In the subsection "Verifying the signature?" in "How can I verify Tor Browser's signature?", something that looks like the following content justifiably merits inclusion in the instructions so that users on macOS relying solely on "How can I verify Tor Browser's signature?" instructions can receive the crucial benefit of using the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package:

After a macOS user downloads the Tor Browser package (".dmg" file), the user downloads the Signature file corresponding with the downloaded Tor Browser installer package.

For users on macOS, on the Tor Browser Download page, clicking on the "Sig" or "(sig)" link that corresponds with the downloaded Tor Browser package will open an additional tab in the Tor Browser window, and the window content will include only a block of text, which is the PGP Signature itself.

Users on macOS must save the block of text (the PGP Signature) as an ".asc" file.


In the Tor Browser menu bar, users on macOS select "File > Save Page As", which will open a Finder-save window.


In the Finder-save window, a file name that looks something like TorBrowser-8.5.5-osx64_en-US.dmg.asc, will self-populate in the space bar on the right side of "Save As:".


If the name of the self-populated file looks something like TorBrowser-8.5.5-osx64_en-US.dmg, the user must type ".asc" file extension at the end of the file name to make it look something like TorBrowser-8.5.5-osx64_en-US.dmg.asc.


In the Finder-save window, the user selects a folder to save the Signature (".asc") file and saves it in the same folder where the downloaded Tor Browser package (".dmg") file was saved, e.g., in the "Desktop" folder or the "Downloads" folder.

The user customarily always should save the PGP Signature (".asc") file in the same folder where the user saved the downloaded Tor Browser package (".dmg" file).

The downloaded Tor Browser package itself will have a file name that looks something like TorBrowser-8.5.5-osx64_en-US.dmg.


The important content below justifiably merits inclusion in the instructions in the "How can I verify Tor Browser's signature?" section for users on macOS to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.

For users on macOS who have installed GPGTools and have imported the Tor Browser Developers key into GPG Keychain, the following instructions allow users to verify the Signature of each downloaded Tor Browser package quickly without having to use terminal commands each time the user downloads a fresh updated or upgraded Tor Browser package (".dmg file) and its corresponding Signature ("Sig") file:


When the downloaded Tor Browser package (".dmg") file and its corresponding Signature (".asc") file are saved in the same folder, users on macOS can double-click on the ".asc" file to open the "Verification Results" window. A successful verification will display in the "Verification Results" window a message that looks something like the following:

TorBrowser-8.5.5-osx64_en-US.dmg.asc Signed by: Tor Browser Developers (signing key) <torbrowser@torproject.org> (1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2) - Ultimate trust

The term "Ultimate trust" will appear at the end of the preceding message only if the user on macOS has assigned "Ownertrust: Ultimate" in GPG Keychain > pub...Tor Browser Developers...4E2C 6E87 9329 8290 > Key Details > Key.


Before assigning "Ultimate trust", it is crucial for users on macOS to confirm that the Key Fingerprint and Subkey Fingerprint appearing in the GPG Keychain window match the corresponding Key Fingerprint and Subkey Fingerprint appearing in the official Tor Project list of signing keys.


After the "How can I verify Tor Browser's signature? instructions are edited as described, users on macOS who rely solely on "How can I verify Tor Browser's signature?" documentation will be able to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package, thereby reducing the chances of users on macOS unknowingly or unwittingly installing Tor Browser packages that might contain corrupted files and/or malware.

Shouldn't we make it both possible and easier for all users, including users on macOS, to verify Tor Browser's signature?

In the "How can I verify Tor Browser's signature?" section, can we edit the instructions as described so users on macOS relying solely on "How can I verify Tor Browser's signature?" documentation can use the Tor Browser Developer's signing key to verify the Signature each time a user on macOS downloads a fresh Tor Browser package.

#31296 reopened defect
#31254 closed defect (fixed)

Child Tickets

Change History (1)

comment:1 Changed 7 weeks ago by pili

Owner: changed from hiro to pili
Status: newassigned
Note: See TracTickets for help on using tickets.