We should break it into 2 pages. The list of keys that signs sub-components and/or email should be on a completely separate page. The only keys on this page should be those that actually sign user-facing packages: TBB and (maybe) the vidalia expert bundles.
The page should walk the user through verifying a signature of a specific package for each platform. The page should focus on only one key and only one package. This package should probably be TBB.
Also, much of the material on this page is out of date. For example, the Mac utilities are completely different now, are hosted at a new URL, and now have a GUI that handles the key import process (but sadly not package signature verification). They do at least put the gpg binary into the system path, so you no longer have to grovel through /Applications in order to find it.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items
0
Show closed items
No child items are currently assigned. Use child items to break down this issue into smaller parts.
Linked items
0
Link issues together to show that they're related.
Learn more.
I agree it needs work. But we should be aware that many of the users who most need this page can't reach the Tor website. So turning it into multiple pages, both of which they need, will make the job of getting information to them even harder.
Remaining is to teach the user about PGP and the web of trust, and explain that it isn't about just running these commands, it's about gaining trust in the key, and here are some ways to do that.
I think there should only be one platform per page.
For Linux users it's pretty straightforward as their systems come with gpg anyway as most distributors require it to sign the systems own packages.
Mac users when they install GPGTools https://www.gpgtools.org it's within their path so the commands are basically the same as linux users.
For Windows though when they install gpg4win http://www.gpg4win.org , it should be noticed the commands vary depending on if the system is 32bit or 64bit, or on Windows Vista/7 or XP.
For example my current windows system installs into: C:\Program Files (x86)\GNU\GnuPG\gpg2.exe
I'd also recommend having pictures too, they can explain a lot. The last thing you want is inexperienced users scared and afraid to complete the process.
One of the unfortunate problems with GnuPG on Windows or MacOSX is that there's only one distribution of it provided by the gpg4win http://www.gpg4win.org team. The authenticity of their binary distribution of GnuPG does not have the same level of assurance one can get from the distributed copy of GnuPG with a Linux distribution as the iso images for those usually include signed sha256 checksums.
Furthermore it is not recommended to check the signature of a distribution of gpg with itself. http://www.gnupg.org/download/integrity_check.html but I guess for Windows users this cannot be avoided unless they boot up a LiveCD and check it from within there.
It is unlikely they have a Linux system to check gpg4win's integrity on.
gpg4win's website also isn't https, (hopefully this could change) so the MITM vulnerability discussed on the Tor verification page could quite well effect the project page. It is at least fortunate that gpgtools https://www.gpgtools.org/ uses https and is verified by the StartCom Ltd certificate authority.
In any case I've made some screenshots from a Windows 7 x64 system. These should be included with any step-by-step instructions created for Windows.
Another thing should be noted the gpg4win installer now puts gpg in the user's PATH by default so specifying the full path ie "C:\Program Files (x86)\GNU\GnuPG\gpg2.exe" is no longer required. Windows users can simply just call "gpg2" like Linux and MacOSX users.
You should assume your have never used the command prompt, so explaining each command is best.
Riseup's devs are similarly happy to keep their certificates and CA pages up to date.
If these patches get merged i might look into an automated solution (imagine a js os selector to download a .sh/.bat file and a script to generate gpg output for each new version). Feel free to assign me.