GitLab

The current GetTor reply we decided earlier was (and which is currently deployed):

SHA256 of Tor Browser 32/64-bit (advanced): 443b38f4aa1194125ca3c79157272d5c64006928c9128127788c1cdefa642d85
Fingerprint of key used to sign Tor Browser (advanced): 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

We can do better. If you see ticket:9036#comment:16, we will be introducing a new section on signatures and verification of the bundles. This is tricky since on one hand we want users to verify the bundles they downloaded, but on the other, it's not always easy to do so. This ticket will focus on what the text should look like and how we should ensure that users are easily able to verify the bundles.

(It's easier said than done and it's not like we are the first ones trying to solve this problem but we should focus on it from GetTor's context to narrow it down.)