Opened 6 years ago

Closed 6 years ago

#3379 closed defect (fixed)

GetTor reply omits GPG instructions

Reported by: rransom Owned by:
Priority: Very High Milestone:
Component: Applications/GetTor Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

 Here's your requested software as a zip file. Please unzip the
package and verify the signature.

Hint: If your computer has GnuPG installed, use the gpg
commandline tool as follows after unpacking the zip file:

The output should look somewhat like this:

  gpg: Good signature from 'Roger Dingledine <arma@mit.edu>'

If you're not familiar with commandline tools, try looking for
a graphical user interface for GnuPG on this website:

  http://www.gnupg.org/related_software/frontends.html

Child Tickets

Change History (2)

comment:1 in reply to:  description Changed 6 years ago by rransom

Replying to rransom:

The output should look somewhat like this:

  gpg: Good signature from 'Roger Dingledine <arma@mit.edu>'

The message contains Roger's user ID, even if the package attached to it is signed by (for example) Erinn.

nickm suggests that the GetTor message not use the user ID of any real key in its example, because then users will trust that user ID to sign the package. I don't know what would be better, though; users who need to use GetTor can't read our verifying-signatures page.

comment:2 Changed 6 years ago by kaner

Resolution: fixed
Status: newclosed

Fixed. Closing.

Note: See TracTickets for help on using tickets.