Feedback on https://support.torproject.org/tbb/how-to-verify-signature/ and suggestions for making it easier to verify tor downloads
Feedback from frontdesk:
Hi, I recently installed tor (thanks so much for this great work). And I have some suggestions for improving the web page instructions to verify downloads. I'm referring to the instructions at https://support.torproject.org/tbb/how-to-verify-signature/ and https://www.torproject.org/download/.
- The download load page (https://www.torproject.org/download/) makes it tricky to understand how to get the signature. The download page on each of the choices has Signature (?). The ? page does take you to the how to verify sig page, but you have to know where to get the .asc file. I'm sure it's not obvious to naive users, it wasn't obvious to me either.
You might improve the UX of this page to somehow tell the users they need to download the appropriate .asc file.
- On the how to verify page (https://support.torproject.org/tbb/how-to-verify-signature/), it states the .asc file is found where the download was. But it's a little tricky to figure out that what this really means is you go back one page, then click "save link as" on the 'signature'.
2.a Solution number (a) Download that page automatically when the user clicks on it, the .asc page. That's probably the best solution. On firefox it doesn't download. And on chrome it doesn't download either, it just shows that page. I'm left with copying and saving it through some other program, or "save-as" on that page.
2.b Update the text to be more clear.
Current text:
Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get.
For example, torbrowser-install-win64-9.0_en-US.exe is accompanied by torbrowser-install-win64-9.0_en-US.exe.asc. These are example file names and will not exactly match the file names that you download.
Suggested text. I highlighted my changes
Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc", see the 'signature' files. These .asc files are OpenPGP signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get. One way to get them is to download the 'signature' file. This varies by web browser, but there's usually an option like "download link" where you "right-click" the 'signature' link and save the file.
For example, torbrowser-install-win64-9.0_en-US.exe is accompanied by torbrowser-install-win64-9.0_en-US.exe.asc. These are example file names and will not exactly match the file names that you download.