Opened 9 years ago

Last modified 18 months ago

#3893 needs_review enhancement

Verifying-signatures needs some work

Reported by: mikeperry Owned by: arma
Priority: Medium Milestone: website redesign
Component: Webpages/Website Version:
Severity: Normal Keywords:
Cc: erinn, ioerror, rransom, Sebastian, phobos Actual Points:
Parent ID: #30259 Points:
Reviewer: antonela Sponsor:

Description is ridiculously complicated and stuffed with tons of irrelevant information.

We should break it into 2 pages. The list of keys that signs sub-components and/or email should be on a completely separate page. The only keys on this page should be those that actually sign user-facing packages: TBB and (maybe) the vidalia expert bundles.

The page should walk the user through verifying a signature of a specific package for each platform. The page should focus on only one key and only one package. This package should probably be TBB.

Also, much of the material on this page is out of date. For example, the Mac utilities are completely different now, are hosted at a new URL, and now have a GUI that handles the key import process (but sadly not package signature verification). They do at least put the gpg binary into the system path, so you no longer have to grovel through /Applications in order to find it.

Child Tickets

#2340defectnewtbb-teamprotect users against freeze, replay and version-rollback attacks
#5463enhancementclosedisisBridgeDB must GPG-sign outgoing mails
#9843taskclosedtraumschuleDocument how to verify Tor Browser archives after download
#9864projectclosedSheriefMake it easier for users to do file verification
#13065defectnewtbb-teamcounter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions file
#13677taskneeds_informationSheriefUpdate Tor Browser 4.x videos
#17413enhancementneeds_reviewtraumschuleUsability of MacOS installation process
#21808defectclosedhiroshow Windows `gpg --verify` command on one line
#23586defectclosedtraumschulefingerprint in documentation is wrong
#26539defectneeds_reviewtraumschuleadd checksums to download page; make checksum vs. sig file purpose much clearer

Attachments (1)

Sample Windows Guide.tar (410.0 KB) - added by anonymous6748 8 years ago.
Sample Windows Guide

Download all attachments as: .zip

Change History (14)

comment:1 in reply to:  description Changed 9 years ago by arma

Replying to mikeperry:

We should break it into 2 pages.

I agree it needs work. But we should be aware that many of the users who most need this page can't reach the Tor website. So turning it into multiple pages, both of which they need, will make the job of getting information to them even harder.

comment:2 Changed 9 years ago by phobos

I'm happy to accept patches.

comment:3 Changed 9 years ago by phobos

I think roger cleaned up this page. Is it better now?

comment:4 Changed 9 years ago by arma

It is better, but still needs work.

Remaining is to teach the user about PGP and the web of trust, and explain that it isn't about just running these commands, it's about gaining trust in the key, and here are some ways to do that.

comment:5 Changed 9 years ago by phobos

Owner: changed from phobos to arma
Status: newassigned

comment:6 Changed 8 years ago by anonymous6748

I think there should only be one platform per page.

For Linux users it's pretty straightforward as their systems come with gpg anyway as most distributors require it to sign the systems own packages.

Mac users when they install GPGTools it's within their path so the commands are basically the same as linux users.

For Windows though when they install gpg4win , it should be noticed the commands vary depending on if the system is 32bit or 64bit, or on Windows Vista/7 or XP.

For example my current windows system installs into: C:\Program Files (x86)\GNU\GnuPG\gpg2.exe

I'd also recommend having pictures too, they can explain a lot. The last thing you want is inexperienced users scared and afraid to complete the process.

Changed 8 years ago by anonymous6748

Attachment: Sample Windows Guide.tar added

Sample Windows Guide

comment:7 Changed 8 years ago by anonymous6748

One of the unfortunate problems with GnuPG on Windows or MacOSX is that there's only one distribution of it provided by the gpg4win team. The authenticity of their binary distribution of GnuPG does not have the same level of assurance one can get from the distributed copy of GnuPG with a Linux distribution as the iso images for those usually include signed sha256 checksums.

Furthermore it is not recommended to check the signature of a distribution of gpg with itself. but I guess for Windows users this cannot be avoided unless they boot up a LiveCD and check it from within there.

It is unlikely they have a Linux system to check gpg4win's integrity on.

Perhaps a possibility is to use a X.509 signature like the TrueCrypt team does:

gpg4win's website also isn't https, (hopefully this could change) so the MITM vulnerability discussed on the Tor verification page could quite well effect the project page. It is at least fortunate that gpgtools uses https and is verified by the StartCom Ltd certificate authority.

In any case I've made some screenshots from a Windows 7 x64 system. These should be included with any step-by-step instructions created for Windows.

Another thing should be noted the gpg4win installer now puts gpg in the user's PATH by default so specifying the full path ie "C:\Program Files (x86)\GNU\GnuPG\gpg2.exe" is no longer required. Windows users can simply just call "gpg2" like Linux and MacOSX users.

You should assume your have never used the command prompt, so explaining each command is best.

comment:8 Changed 3 years ago by atagar

Severity: Normal

More discussion about this page is on

comment:9 Changed 3 years ago by hiro

Milestone: website redesign

comment:10 Changed 2 years ago by traumschule

Status: assignedneeds_review

remove full path from windows gpg command (comment:7)

Riseup's devs are similarly happy to keep their certificates and CA pages up to date.

If these patches get merged i might look into an automated solution (imagine a js os selector to download a .sh/.bat file and a script to generate gpg output for each new version). Feel free to assign me.

Last edited 2 years ago by traumschule (previous) (diff)

comment:11 Changed 2 years ago by traumschule

Parent ID: #23266

comment:12 Changed 2 years ago by traumschule

Reviewer: antonela

Update: Today an user in #tor had issues to verify the downloaded file.
Maybe it would help to fix the current website before the new one is ready?

PR 7 has been merged and is waiting for review by the UX team.

comment:13 Changed 18 months ago by pili

Parent ID: #23266#30259
Note: See TracTickets for help on using tickets.