Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T17:36:46Zhttps://gitlab.torproject.org/legacy/trac/-/issues/31211Inaccurate and confusing Support doc can mislead macOS users into incorrectly...2020-06-13T17:36:46ZTracInaccurate and confusing Support doc can mislead macOS users into incorrectly using Tor Browser with two simultaneous instances of the Tor-Browser Data folder.Tor Browser 8.5.4 on macOS 10.14.5 Mojave.
`How do I uninstall Tor Browser?` https://support.torproject.org/tbb/tbb-28/
The following inaccurate and confusing language pertaining to macOS appears in the documentati...Tor Browser 8.5.4 on macOS 10.14.5 Mojave.
`How do I uninstall Tor Browser?` https://support.torproject.org/tbb/tbb-28/
The following inaccurate and confusing language pertaining to macOS appears in the documentation:
`Locate your Tor Browser folder or application. The default location on Windows is the Desktop; on macOS it is the Applications folder (on macOS, you have to move it into the Applications folder when you complete the installation process).`
The documentation inaccurately states, `on macOS it is in the Applications folder (on macOS, you have to move it into the Application folder when you complete the installation process).`
A user will be unable to find the Tor-Browser Data folder in `/Applications` because the Tor-Browser Data folder does not install in `/Applications`.
By default, the Tor-Browser Data folder installs in `~/Library/Application Support`.
And, by default, TorBrowser.app installs in `~/Applications`.
----
Duplicate the issue:
Per the inaccurate and confusing language pertaining to macOS in the documentation , a user moves the Tor-Browser Data folder to `/Applications`.
When the user quits and restarts Tor Browser, no Tor-Browser Data folder is present in its default location `~/Library/Application Support`; thus, Tor Browser.app installs a new instance of the Tor-Browser Data folder in `~/Library/Application Support`.
The computer now has two separate and simultaneous instances of the Tor-Browser Data folder.
One Tor-Browser Data folder is in `/Applications`, and the other Tor-Browser Data folder is in `~/Library/Application Support`.
----
To avoid the possibility of confusing or misleading users into mistaken attempts to use Tor Browser with two separate and simultaneous instances of the Tor-Browser Data folder, we should change the inaccurate and misleading language pertaining to macOS in the referenced documentation to reflect something like the following:
`On macOS, by default, your Tor-Browser Data folder installs in ~/Library/Application Support. On macOS, by default, your TorBrowser.app installs in /Applications. To uninstall Tor Browser, delete your Tor-Browser Data folder and delete your TorBrowser.app.`
**Trac**:
**Username**: monmireColin ChildsColin Childshttps://gitlab.torproject.org/legacy/trac/-/issues/31896Bad instructions in Support Portal, "How can I verify Tor Browser's signature...2020-06-13T17:12:31ZTracBad instructions in Support Portal, "How can I verify Tor Browser's signature?", discourage, deter, and prevent users on macOS from verifying the Signature of downloaded Tor Browser packagesPlatform: Tor Browser 8.5.5 on macOS Mojave 10.14.6
Users on macOS who rely solely on and adhere to the crucial Support Portal instructions currently appearing in [How can I verify Tor Browser's signature?](https://support.torproject.or...Platform: Tor Browser 8.5.5 on macOS Mojave 10.14.6
Users on macOS who rely solely on and adhere to the crucial Support Portal instructions currently appearing in [How can I verify Tor Browser's signature?](https://support.torproject.org/tbb/how-to-verify-signature/) never will be able to use the Tor Browser Developer's signing key to verify the Signature of a downloaded Tor Browser package.
"How can I verify Tor Browser's signature?" instructions contain misinformed, inaccurate, and incomplete instructions for users on macOS needing to use the Tor Developer's Signing key (".asc" file) to verify the Signature of a downloaded Tor Browser package (".dmg" file).
The crucial "How can I verify Tor Browser's signature?" instructions for users on Windows and GNU/Linux to verify the Signature of a downloaded Tor Browser package DO NOT WORK for users on macOS.
The current "How can I verify Tor Browser's signature?" documentation instructs users on macOS, Windows, and GNU/Linux, to enter a command with `gpgv --keyring ./tor.keyring` in the command line, and the command looks something like the following command to verify the Signature of a downloaded Tor Browser package, but a command with `gpgv --keyring ./tor.keyring` in the command line DOES NOT WORK for users on macOS:
`gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-8.5.4-osx64_en-US.dmg{.asc,}`
For users on macOS, the preceding command or other similar command using `gpgv --keyring ./tor.keyring` in the command line returns the following message:
`gpgv: keyblock resource './tor.keyring': No such file or directory`
`gpgv: no valid OpenPGP data found.`
`gpgv: the signature could not be verified.`
`Please remember that the signature file (.sig or .asc)`
`should be the first file given on the command line.`
For users on macOS, attempts to verify the Signature of a downloaded Tor Browser package by using `gpgv --keyring .\tor.keyring` in the command line will fail.
For users on macOS, the `gpg --verify` command must appear in the command line for verification of the Signature of a downloaded Tor Browser package to be successful. The example below assumes the user has downloaded the Tor Browser package (".dmg") file and the PGP Signature (".asc") file to the "Downloads" folder.
Users on macOS use the command with the following form, and `gpg --verify` appears in the command line to verify the Signature of a downloaded Tor Browser package:
`gpg --verify ~/Downloads/TorBrowser-8.5.5-osx64_en-US.dmg.asc /Downloads/TorBrowser-8.5.5-osx64_en-US.dmg`
For users on macOS, the `TorBrowser-8.5.5-osx64_en-US.dmg.asc` entry must precede the `TorBrowser-8.5.5-osx64_en-US.dmg` entry on the command line; the preceding command successfully verifies the Signature of the downloaded Tor Browser package by returning the following message:
`gpg: Signature made Tue Sep 3 06:07:30 2019 PDT`
`gpg: using RSA key EB774491D9FF06E2`
`gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"`
"How can I verify Tor Browser's signature?" instructions should be edited accordingly and should have the additional instructions below necessary for users on macOS relying solely on "How can I verify Tor Browser's signature?" instructions to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.
----
In the subsection "Fetching the Tor Developers key" in "How can I verify Tor Browser's signature?, the content should present something like the following instructions for the benefit of all users on macOS:
The Tor Browser team signs Tor Browser releases.
Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
`gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org`
After importing the Tor Browser Developers signing key, users can take the additional step of saving it to a file by entering the following command:
`gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290`
On macOS, by default, the preceding export command saves the Tor Browser Developers key in the following file:
`~/Users/<user name>/tor.keyring`
----
For users on macOS, the subsection "Verifying the signature" in "How can I verify Tor Browser's signature?" contains misinformed and incomplete instructions. These instructions should be edited for the benefit of users on macOS and should include the additional instructions below, crucial for users on macOS relying solely on "How can I verify Tor Browser's signature?" instructions to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.
The "Verifying the signature" subsection presently contains the following information, which confusingly applies the information to users on Windows, GNU/Linux, and macOS, but in reality the information does not apply accurately to users on macOS:
Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc"
The preceding inaccurate information causes confusion for users on macOS and acts as a deterrent and a stumbling block for users on macOS, thereby discouraging, thwarting, or preventing users on macOS from using the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.
In the subsection "Verifying the signature?" in "How can I verify Tor Browser's signature?", something that looks like the following content justifiably merits inclusion in the instructions so that users on macOS relying solely on "How can I verify Tor Browser's signature?" instructions can receive the crucial benefit of using the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package:
After a macOS user downloads the Tor Browser package (".dmg" file), the user downloads the Signature file corresponding with the downloaded Tor Browser installer package.
For users on macOS, on the Tor Browser [Download page](https://www.torproject.org/download/), clicking on the "Sig" or "(sig)" link that corresponds with the downloaded Tor Browser package will open an additional tab in the Tor Browser window, and the window content will include only a block of text, which is the PGP Signature itself.
Users on macOS must save the block of text (the PGP Signature) as an ".asc" file.
In the Tor Browser menu bar, users on macOS select "File > Save Page As", which will open a Finder-save window.
In the Finder-save window, a file name that looks something like `TorBrowser-8.5.5-osx64_en-US.dmg.asc`, will self-populate in the space bar on the right side of "Save As:".
If the name of the self-populated file looks something like `TorBrowser-8.5.5-osx64_en-US.dmg`, the user must type ".asc" file extension at the end of the file name to make it look something like `TorBrowser-8.5.5-osx64_en-US.dmg.asc`.
In the Finder-save window, the user selects a folder to save the Signature (".asc") file and saves it in the same folder where the downloaded Tor Browser package (".dmg") file was saved, e.g., in the "Desktop" folder or the "Downloads" folder.
The user customarily always should save the PGP Signature (".asc") file in the same folder where the user saved the downloaded Tor Browser package (".dmg" file).
The downloaded Tor Browser package itself will have a file name that looks something like `TorBrowser-8.5.5-osx64_en-US.dmg`.
----
The important content below justifiably merits inclusion in the instructions in the "How can I verify Tor Browser's signature?" section for users on macOS to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package.
For users on macOS who have installed GPGTools and have imported the Tor Browser Developers key into GPG Keychain, the following instructions allow users to verify the Signature of each downloaded Tor Browser package quickly without having to use terminal commands each time the user downloads a fresh updated or upgraded Tor Browser package (".dmg file) and its corresponding Signature ("Sig") file:
When the downloaded Tor Browser package (".dmg") file and its corresponding Signature (".asc") file are saved in the same folder, users on macOS can double-click on the ".asc" file to open the "Verification Results" window. A successful verification will display in the "Verification Results" window a message that looks something like the following:
`TorBrowser-8.5.5-osx64_en-US.dmg.asc Signed by: Tor Browser Developers (signing key) <torbrowser@torproject.org> (1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2) - Ultimate trust`
The term "Ultimate trust" will appear at the end of the preceding message only if the user on macOS has assigned "Ownertrust: Ultimate" in GPG Keychain > pub...Tor Browser Developers...4E2C 6E87 9329 8290 > Key Details > Key.
Before assigning "Ultimate trust", it is crucial for users on macOS to confirm that the Key Fingerprint and Subkey Fingerprint appearing in the GPG Keychain window match the corresponding Key Fingerprint and Subkey Fingerprint appearing in the official Tor Project [list of signing keys](https://2019.www.torproject.org/docs/signing-keys.html.en).
----
After the "How can I verify Tor Browser's signature? instructions are edited as described, users on macOS who rely solely on "How can I verify Tor Browser's signature?" documentation will be able to use the Tor Developer's Signing key to verify the Signature of a downloaded Tor Browser package, thereby reducing the chances of users on macOS unknowingly or unwittingly installing Tor Browser packages that might contain corrupted files and/or malware.
Shouldn't we make it both possible and easier for all users, including users on macOS, to verify Tor Browser's signature?
In the "How can I verify Tor Browser's signature?" section, can we edit the instructions as described so users on macOS relying solely on "How can I verify Tor Browser's signature?" documentation can use the Tor Browser Developer's signing key to verify the Signature each time a user on macOS downloads a fresh Tor Browser package.
[#31296 reopened defect](https://trac.torproject.org/projects/tor/ticket/31296)
[#31254 closed defect (fixed)](https://trac.torproject.org/projects/tor/ticket/31254)
**Trac**:
**Username**: monmirePili GuerraPili Guerrahttps://gitlab.torproject.org/legacy/trac/-/issues/31254Tor Support Portal "How can I verify Tor Browser's signature" has inaccurate ...2020-06-13T17:12:29ZTracTor Support Portal "How can I verify Tor Browser's signature" has inaccurate instructions that can prevent signature verification of Tor BrowserAt https://support.torproject.org/tbb/how-to-verify-signature/,
the subsection `macOS and Linux" / For macOS users`
presents instructions to mac OS users to run terminal command
`gpg --verify ~/Downloads/TorBrowser-8.0.8-osx64_en-US...At https://support.torproject.org/tbb/how-to-verify-signature/,
the subsection `macOS and Linux" / For macOS users`
presents instructions to mac OS users to run terminal command
`gpg --verify ~/Downloads/TorBrowser-8.0.8-osx64_en-US.dmg{.asc,} `
On macOS, running that command returns terminal output
`gpg: no valid OpenPGP data found.`
`gpg: the signature could not be verified.`
`Please remember that the signature file (.sig or .asc)`
`should be the first file given on the command line.`
However, running terminal command
`gpg --verify ~/Downloads/{.asc,} TorBrowser-8.0.8-osx64_en-US.dmg`
returns terminal output
`gpg: Signature made Mon Jul 8 03:56:12 2019 PDT`
`gpg: using RSA key EB774491D9FF06E2`
`gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"`
----
If we instruct new Tor Browser users, who might become discouraged by the terminal return
`gpg: no valid OpenPGP data found.`
`gpg: the signature could not be verified.`
`Please remember that the signature file (.sig or .asc)`
`should be the first file given on the command line.`
to instead run terminal command
`gpg --verify ~/Downloads/{.asc,} TorBrowser-8.0.8-osx64_en-US.dmg`,
perhaps more Tor Browser users with less experience might complete a proper verification of Tor Browser's signature, and Tor Browser might gain more new users.
**Trac**:
**Username**: monmireGusGus