Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
S
support
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 42
    • Issues 42
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 4
    • Merge Requests 4
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • Web
  • support
  • Issues
  • #149

Closed
Open
Opened Jul 31, 2019 by dkg@dkg

simplify OpenPGP signature verification instructions

The OpenPGP signature verification instructions at https://support.torproject.org/tbb/how-to-verify-signature/ are more complicated than they need to be, and more repetitive. They also are confusing!

I'll attach a revised version of the contents.lr file, but you can also see the changes with more clarity as a series of individual git commits on the pgp-verification branch of tor's support repo at https://0xacab.org/dkg/tor-support.

the main changes are:

  • group GnuPG installation instructions in one place
  • export the tor developer OpenPGP certificate as a "keyring"
  • use gpgv for verification, not raw gpg
  • remove accidentally misleading statements about "assigning a trust index" and "exchanging fingerprints"
  • use fingerprints and not keyids
  • bake fingerprint verification into the workflow, rather than asking humans to compare them manually.

If you disagree with any of these changes, please let me know, and why. i'd be happy to reconsider them with good reason.

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: tpo/web/support#149