Opened 7 months ago

Closed 6 months ago

#33548 closed defect (wontfix)

Help with How to verify download signature-Instructions unclear or missing for Linux

Reported by: AntiDiluv Owned by: hiro
Priority: Very High Milestone:
Component: Webpages/Website Version: Tor: unspecified
Severity: Normal Keywords: Download, Linux 32, Knoppix, signatures, keys
Cc: traumschule, trac-dip-importer, ggus Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

At https://support.torproject.org/tbb/how-to-verify-signature/ I'm finding no help, as a newbie. Suggest that you add a line or 2 that would help greatly: see below. Summary: I'm a new user of Knoppix 8.1. I've cc'd it to a USB drive but haven't yet found a thesaurus that gives lists of commands so a beginner can speak to 1 of the several terminals. Online and in the software, knowledge of command line language is simply assumed.

The onboard Tor downloader does not work and I don't know how to monkey with it. Yesterday I magically, effortlessly went to the Tor site on Firefox, downloaded Tor for Linux 32bit, and somehow intuited that by going to Properties in one of the files, I could find checksums, copy them to another slot in Properties, & Bingo, they matched. I had read about checksums before, but had never discovered where to find them or how to match them. Now I just discovered this by accident. I felt secure in opening that archive. It effortlessly deployed and I had one night of fast, lovely use of TOR as I used to have in Windows 7.

Today of course all my settings are gone, Tor is gone, and I had to start over. (I found online instructions by the author of Knoppix- from the 90s- as to how to configure Knoppix to save settings -to a floppy drive- for a start menu with items that don't exist anymore, which I can't find in the system. This seems typical.)
Today when I downloaded Tor and extracted the archive I found NO files with Properties that included checksums.

SUGGESTION: IT WOULD BE GREAT IF YOU INCLUDED INSTRUCTIONS ABOUT THIS ON YOUR HOW-TO-VERIFY-SIG PAGE.

So I deleted Tor and downloaded again.Same deal. Deleted again.
I next reviewed the instructions at https://support.torproject.org/tbb/how-to-verify-signature/
Your first suggestion is to download the signature file that accompanies each download, w/an .asc extension.
I have never been able to figure this out when I used Windows 7, nor could I now at https://www.torproject.org/download/languages/ . Under GNU/Linux, I can click on 32bit and get the download; and I can click on (sig) and open a tab that shows a long sequence of digits, with BEGIN PGP SIGNATURE and END PGP SIGNATURE bookending it. I see that the tab indeed has the name of the file + .asc. But I don't see any way to download this as an .asc file. The tab just opens and displays the digit string.
SUGGESTION: TELL US HOW TO MAKE IT DOWNLOAD AS A FILE.
If it is downloading automatically when I download the TOR archive, I don't know where it is.
SUGGESTION: TELL US WHERE WE SHOULD LOOK FOR IT, IF IT IS DOWNLOADING.
So I copied the string of numbers to the little text writer, leaf.txt, and saved that in Downloads with the file name + .asc.
But I doubt that's going to work as your instructions prescribe.Actually,that still leaves a question: there are no further instructions.

SUGGESTION: TELL US WHAT ONE IS SUPPOSED TO DO WITH THE .ASC FILE, ONCE LOCATED.

Next I went to your second suggestion,"FETCHING" the Tor Developers Key.

Luckily, you hinted at method in saying I would have to type in a terminal.
I found a terminal and typed in what you said to do, and was very gratified to find that it generated exactly what you predicted.

How frustrating then, your next instruction:

After importing the key, you can save it to a file (identifying it by fingerprint here):

gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

You were doing so well. Up til then as a normal newbie I was able to follow all instructions. Here they devolved into opaque geekspeak.

SUGGESTION: GIVE A CLUE AS TO HOW TO SAVE TO A FILE from where we're just hanging at a line in a terminal.

And WHAT DOES IT MEAN TO IDENTIFY BY a FINGERPRINT?

If this is impossible because terminals and their languages are vastly different,

at least define these terms.

Maybe someone can advise as to where to find simple commands in KDE for beginners. The KDE site is just for developers.

I've been 5 days holed up trying to figure out how to do basic things. I'm hungry; I have to go to the bathroom. I'd like to check my mail. People must think I've died.
Hope you can help me and others. Thanks.

BTW the download says it's v.9.0.5. The form to submit this ticket asks for version, but the only permitted fill-ins are variants of version 4...?? So I said unspecified.

SUGGESTION: Resolve this apparent mystery.

AND I am u nable to compose a Summary to the satisfaction of this Form: it keeps saying Error Loading Tickets.I wonder if I'll ever get to send this.

SUGGESTION: Have it give more info, so I can fix it. I don't know what it wants.

Child Tickets

Change History (2)

comment:1 Changed 7 months ago by AntiDiluv

ADD KEYWORD tbb-9.0-issues

comment:2 Changed 6 months ago by hiro

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.