please server Tor signature files with Content-Disposition that encourages a download rather than inline viewing
When i click on the sig
link in https://www.torproject.org/download/ (which points to https://www.torproject.org/dist/torbrowser/8.5.4/torbrowser-install-win64-8.5.4_en-US.exe.asc ) i find the OpenPGP signature displayed in the browser directly, rather than being saved to a file.
But the [for verifying the OpenPGP signature] seem to assume that the signature file has been downloaded as a file.
If you use [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition|Content-Disposition]] you should be able to encourage the web browser to save the signatures as a file in the same way that the installer is a file.
I'm attaching a HAR archive of what my browser (Firefox 68) did when clicking on the sig
link, which i think verifies that no Content-Disposition
header was sent.