Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T17:28:05Zhttps://gitlab.torproject.org/legacy/trac/-/issues/30295"Verify Tor Browser Signature" link on torproject.org is difficult to find an...2020-06-13T17:28:05Zwayward"Verify Tor Browser Signature" link on torproject.org is difficult to find and should be movedThe link on https://www.torproject.org/download/ to find out more information on how to verify a Tor Browser signature is difficult to find, as it is not close to any signature links. In addition, the name of the link itself does not ind...The link on https://www.torproject.org/download/ to find out more information on how to verify a Tor Browser signature is difficult to find, as it is not close to any signature links. In addition, the name of the link itself does not indicate that it leads to a 'how-to' page.
I suggest that we move the link next to the 'Sig' buttons under each platform's download button, and change the link's icon to indicate that it leads to more information on verifying signatures.
Feedback from this blog post: https://blog.torproject.org/comment/280712#comment-280712HiroHirohttps://gitlab.torproject.org/legacy/trac/-/issues/27514Add instructions how to verify signatures on Android2020-06-13T17:36:31ZtraumschuleAdd instructions how to verify signatures on AndroidWith #26531 https://www.torproject.org/docs/verifying-signatures.html needs a section for Android.With #26531 https://www.torproject.org/docs/verifying-signatures.html needs a section for Android.traumschuletraumschulehttps://gitlab.torproject.org/legacy/trac/-/issues/13122Please make .asc files be downloaded instead of displayed2020-06-13T16:48:45ZLunarPlease make .asc files be downloaded instead of displayedCurrently when opening the following link in a browser, the signature will be displayed instead of downloaded: https://www.torproject.org/dist/torbrowser/3.6.5/torbrowser-install-3.6.5_en-US.exe.asc
This can confuse users trying to veri...Currently when opening the following link in a browser, the signature will be displayed instead of downloaded: https://www.torproject.org/dist/torbrowser/3.6.5/torbrowser-install-3.6.5_en-US.exe.asc
This can confuse users trying to verify the signature, because they will need the file saved on their disk with most tools. In order to save them a step, and some bewilderment, let's make .asc files be downloaded by browsers.
I believe the Apache configuration snippet to be close to the following:
```
<FilesMatch "\.asc$">
ForceType application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>
```https://gitlab.torproject.org/legacy/trac/-/issues/3893Verifying-signatures needs some work2020-06-21T18:04:51ZMike PerryVerifying-signatures needs some workhttps://www.torproject.org/docs/verifying-signatures.html.en is ridiculously complicated and stuffed with tons of irrelevant information.
We should break it into 2 pages. The list of keys that signs sub-components and/or email should be...https://www.torproject.org/docs/verifying-signatures.html.en is ridiculously complicated and stuffed with tons of irrelevant information.
We should break it into 2 pages. The list of keys that signs sub-components and/or email should be on a completely separate page. The only keys on this page should be those that actually sign user-facing packages: TBB and (maybe) the vidalia expert bundles.
The page should walk the user through verifying a signature of a specific package for each platform. The page should focus on only one key and only one package. This package should probably be TBB.
Also, much of the material on this page is out of date. For example, the Mac utilities are completely different now, are hosted at a new URL, and now have a GUI that handles the key import process (but sadly not package signature verification). They do at least put the gpg binary into the system path, so you no longer have to grovel through /Applications in order to find it.website redesignRoger DingledineRoger Dingledine