Clarify verifying-signatures.html for builds not signed by erinn
I downloaded tor-0.2.5.8-rc.tar.gz with the .asc and tried to verify them.
Clicking the "what's this" next to the asc file brings me to https://www.torproject.org/docs/verifying-signatures.html.en
That site is only focused on tor browser builds and says "Erinn Clark signs the Tor Browser Bundles. Import her key..."
I must've missed the "tor browser" part and assumed erinn signed all builds. Following the instructions gives me
gpg --verify tor-0.2.5.8-rc.tar.gz.asc tor-0.2.5.8-rc.tar.gz gpg: Signature made Tue 23 Sep 2014 01:47:29 AM UTC using RSA key ID 19F78451 gpg: Can't check signature: public key not found
The problem is it looks like roger signs the alpha builds. I figured this out googling around and finding https://www.torproject.org/docs/signing-keys.html
Suggested fix: Mention the "public key not found" error on verifying-signatures.html, instruct users to download roger's key.
and/or have a different "what's this" page linked next to the alpha builds (and anything else erinn doesn't sign)