Make it easier for users to do file verification
Verifying the contents of the Tor Browser Bundle seems to be one of the most confusing things that we ask users to do. The help desk often gets requests from users seeking guidance on verifying bundles.
The website documentation on file signature verification we have can be found at https://www.torproject.org/docs/verifying-signatures.html.en. Multiple users have reported that these inctructions are confusing. I don't think this entirely the fault of the page's author.
There are several issues here to consider:
-
On the file verification page we tell Windows users to download Gpg4win so they can download the bundles. Unfortunately there's no verification tool for gpg4win.
-
The signature verification page will be out-of-date once TBB 3 becomes stable. Verifying TBB 3 requires users to verify a signed text file of sha256sums, and then take the sha256sum of the package and see if it matches what's in the signed text file. Currently there is no way to take the sha256sum of anything on Windows unles you compile a program to do it yourself or download and run an unverified .exe file from any number of http-only websites that show up on a google search.
-
Command line interface is intimidating for many people. There are no instructions on our website for using GUI GnuPG frontends.