simplify OpenPGP signature verification instructions
The OpenPGP signature verification instructions at https://support.torproject.org/tbb/how-to-verify-signature/ are more complicated than they need to be, and more repetitive. They also are confusing!
I'll attach a revised version of the
contents.lr file, but you can also see the changes with more clarity as a series of individual git commits on the
pgp-verification branch of tor's
support repo at https://0xacab.org/dkg/tor-support.
the main changes are:
- group GnuPG installation instructions in one place
- export the tor developer OpenPGP certificate as a "keyring"
gpgvfor verification, not raw
- remove accidentally misleading statements about "assigning a trust index" and "exchanging fingerprints"
- use fingerprints and not keyids
- bake fingerprint verification into the workflow, rather than asking humans to compare them manually.
If you disagree with any of these changes, please let me know, and why. i'd be happy to reconsider them with good reason.