Verifying-signatures needs some work
https://www.torproject.org/docs/verifying-signatures.html.en is ridiculously complicated and stuffed with tons of irrelevant information.
We should break it into 2 pages. The list of keys that signs sub-components and/or email should be on a completely separate page. The only keys on this page should be those that actually sign user-facing packages: TBB and (maybe) the vidalia expert bundles.
The page should walk the user through verifying a signature of a specific package for each platform. The page should focus on only one key and only one package. This package should probably be TBB.
Also, much of the material on this page is out of date. For example, the Mac utilities are completely different now, are hosted at a new URL, and now have a GUI that handles the key import process (but sadly not package signature verification). They do at least put the gpg binary into the system path, so you no longer have to grovel through /Applications in order to find it.
Activity
changed milestone to %website redesign
Replying to mikeperry:
We should break it into 2 pages.
I agree it needs work. But we should be aware that many of the users who most need this page can't reach the Tor website. So turning it into multiple pages, both of which they need, will make the job of getting information to them even harder.
I think there should only be one platform per page.
For Linux users it's pretty straightforward as their systems come with gpg anyway as most distributors require it to sign the systems own packages.
Mac users when they install GPGTools https://www.gpgtools.org it's within their path so the commands are basically the same as linux users.
For Windows though when they install gpg4win http://www.gpg4win.org , it should be noticed the commands vary depending on if the system is 32bit or 64bit, or on Windows Vista/7 or XP.
For example my current windows system installs into: C:\Program Files (x86)\GNU\GnuPG\gpg2.exe
I'd also recommend having pictures too, they can explain a lot. The last thing you want is inexperienced users scared and afraid to complete the process.
Trac:
Username: anonymous6748-
Trac:
Username: anonymous6748 -
One of the unfortunate problems with GnuPG on Windows or MacOSX is that there's only one distribution of it provided by the gpg4win http://www.gpg4win.org team. The authenticity of their binary distribution of GnuPG does not have the same level of assurance one can get from the distributed copy of GnuPG with a Linux distribution as the iso images for those usually include signed sha256 checksums.
Furthermore it is not recommended to check the signature of a distribution of gpg with itself. http://www.gnupg.org/download/integrity_check.html but I guess for Windows users this cannot be avoided unless they boot up a LiveCD and check it from within there.
It is unlikely they have a Linux system to check gpg4win's integrity on.
Perhaps a possibility is to use a X.509 signature like the TrueCrypt team does: http://www.truecrypt.org/docs/?s=digital-signatures
gpg4win's website also isn't https, (hopefully this could change) so the MITM vulnerability discussed on the Tor verification page could quite well effect the project page. It is at least fortunate that gpgtools https://www.gpgtools.org/ uses https and is verified by the StartCom Ltd certificate authority.
In any case I've made some screenshots from a Windows 7 x64 system. These should be included with any step-by-step instructions created for Windows.
Another thing should be noted the gpg4win installer now puts gpg in the user's PATH by default so specifying the full path ie "C:\Program Files (x86)\GNU\GnuPG\gpg2.exe" is no longer required. Windows users can simply just call "gpg2" like Linux and MacOSX users.
You should assume your have never used the command prompt, so explaining each command is best.
Trac:
Username: anonymous6748 More discussion about this page is on https://trac.torproject.org/projects/tor/ticket/10073
Trac:
Sponsor: N/A to N/A
Reviewer: N/A to N/A
Severity: N/A to Normalremove full path from windows gpg command (comment:7) https://github.com/torproject/webwml/pull/7
Riseup's devs are similarly happy to keep their certificates and CA pages up to date.
If these patches get merged i might look into an automated solution (imagine a js os selector to download a .sh/.bat file and a script to generate gpg output for each new version). Feel free to assign me.
Trac:
Status: assigned to needs_reviewTrac:
Parent: N/A to #23266 (moved)Update: Today an user in #tor had issues to verify the downloaded file. Maybe it would help to fix the current website before the new one is ready?
PR 7 has been merged and https://github.com/torproject/webwml/pull/31 is waiting for review by the UX team.
Trac:
Reviewer: N/A to antonela
Trac:
Parent: #23266 (moved) to #30259 (moved)mentioned in issue #3980 (moved)
mentioned in issue #4218 (moved)
mentioned in issue #5463 (moved)
mentioned in issue #9496 (moved)
mentioned in issue #9843 (moved)
mentioned in issue #9864 (moved)
mentioned in issue #13065 (moved)
mentioned in issue #13677 (moved)
mentioned in issue #14686 (moved)
mentioned in issue #17413 (moved)
mentioned in issue #18820 (moved)
mentioned in issue #18925 (moved)
mentioned in issue #18925 (moved)
mentioned in issue #21808 (moved)
mentioned in issue #22637 (moved)
mentioned in issue #23586 (moved)
mentioned in issue #26539 (moved)
mentioned in issue #27514 (moved)
mentioned in issue #30259 (moved)
moved to tpo/web/trac#3893 (moved)
mentioned in issue tpo/anti-censorship/gettor-project/trac#3980 (closed)
