GitLab

TBB 3.0beta1 is pretty much ready. We should start hosting download links on https://www.torproject.org/projects/torbrowser.html.en, and figure out how to handle the signature verification problem.

Because of the new single sha256sums.txt file and multiple detached signatures, the validation process is now more involved. Windows users have to either use a powershell scriptlet to verify sha256 (https://blogs.msdn.com/b/mwilbur/archive/2007/03/14/get-sha256.aspx?Redirected=true) or download hashdeep (http://md5deep.sourceforge.net/hashdeep.html). We'll then have to either explain how to download and rename one of the sigs, or make one of them the default .asc and explain how to verify the others if they like.

Other alternatives include getting a real code signing cert for Windows (since I bet roughly nobody downloads the sigs anyway) or getting funding to turn torbrowser-launcher into a proper stub installer that works on all platforms: https://github.com/micahflee/torbrowser-launcher/issues/33 https://github.com/micahflee/torbrowser-launcher/issues/34