Opened 4 months ago

Closed 4 months ago

#33529 closed enhancement (wontfix)

Improve verifying signatures instructions

Reported by: PROTechThor Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Support Version:
Severity: Normal Keywords: docshackathon
Cc: ggus Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The instructions on verifying signatures at https://support.torproject.org/tbb/how-to-verify-signature/ should be clearer and more concise.

A frontdesk email reads:

"In order to verify the integrity of the Tor browser installation file, you recommend downloading GPG4win, but then your instructions for Windows say to use a command line command that is not included with that package, and there are no instructions on how to use the GUI to verify the package (or which GUI to use, since there are at least two included in GPG4win).

https://support.torproject.org/tbb/how-to-verify-signature/

Trying to import the asc file into Kleopatra or the GNU Privacy Assistant results in a message saying that 0 certificates were imported, or no keys were found.

What's more, there is a confusing reference to the " Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290)". Is this the key I'm supposed to be using for verification? This doesn't appear to be a PGP public key.

There's also a statement that suggests that the PGP public key file is automatically downloaded with the installation package, but it's not. "Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc"." The download page does not show file names, and using the download link on the download page only downloads the exe file."

Child Tickets

Change History (2)

comment:1 Changed 4 months ago by pili

Keywords: docshackathon added

comment:2 Changed 4 months ago by hiro

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.