[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4
The more complicated verification gets, the more difficult it becomes
for `the bad guys' to hack your files. So there's a real benefit to
embracing the advanced verification process. Learning that process
may take some time, but if you're quite seriously worried, then maybe
it's very much worth doing. The steps below outline a fairly
anonymous process. Possibly you may prefer to do all of this
someplace other than at home or work, or someplace where no phones or
MAC addresses have tracked you.
1) Sha256sum verification.
1)A) From different exit nodes of the Tor network, download from
TorProject [5] three or more copies of each of these files. To change
exit nodes, click "New Identity" in the TorButton menu.
1)A)a) [TorBrowserBundle].tar.xz
1)A)b) [TorBrowserBundle].tar.xz.asc (Note: ".asc" files are detatched
signatures)
1)A)c) sha256sums.txt
1)A)d) sha256sums.txt.asc
1)B) Compare the SHA256 sums of each subset separately (a, then b,
then c, then d) amongst themselves, and delete the ones that don't
match the others [4]. Re-download new copies if necessary.
1)C) Check the SHA256 sums of [TorBrowserBundle].tar.xz against
the list sha256sums.txt. Instructions on how to do this can be found
at Tor's page "How to verify signatures for packages" [3]. (On
Linux/OSX it's easy; maybe it's easy on Windows, too, I don't know.)
2) GPG. (Note: command syntax shown is for gpg v.1.4.16 on Linux)
2)A) Get from TorProject the first list of keys.
2)A)a) An easier way is to just download the one signing key,
listed at the TorProject Blog [1].
2)A)b) The more thorough way is download them all, listed at [2] and below.
2)B) Import into gpg the keys on the first list.
2)B)a) Just the signing key, listed at [1].
gpg --keyserver keys.gnupg.net --recv-keys 0x4E2C6E8793298290
2)B)b) Or all of the keys listed at [2].
gpg --keyserver keys.gnupg.net --recv-keys 0x0E3A92E4 0x4B7C3223
0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A
0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6
0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577
0xD255D3F5C868227F 0x4E2C6E8793298290
2)C) Get from gpg the second list of keys. These are the gpg keys of
individuals and organizations which have signed the TorProject signing
key. In the example below, what you're looking for are the eight-digit
key numbers listed to the left of the term "sig," which is found in
the furthermost lefthand column.
$ gpg --list-sigs 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15
uid Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
sig 63FEE659 2015-01-13 Erinn Clark <erinn@xxxxxxxxxxxxxx>
sig 4B7C3223 2014-12-15 Georg Koppen <gk@xxxxxxxxxxxxxx>
sig 3 93298290 2014-12-15 Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
sig 1B678A63 2015-02-26 Nicolas Vigier (boklm)
<boklm@xxxxxxxxxxxxxxxx>
sig 95C877E5 2015-03-01 Paulo Garcia <macrinus1789@xxxxxxxxx>
sub 4096R/F65C2036 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
sub 4096R/D40814E0 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
sub 4096R/589839A3 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
2)D) Import into gpg the keys on this second list.
gpg --keyserver keys.gnupg.net --recv-keys 63FEE659 4B7C3223 93298290
1B678A63 95C877E5
2)E) Optional. For verification, re-import all keys from a second
and/or third source. Additional keyservers can be found online with
some digging. "PKS" and "site:.edu" are fairly good search terms.
gpg --keyserver keys.mozilla.org --recv-keys 0x0E3A92E4 0x4B7C3223
0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A
0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6
0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577
0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290
1B678A63 95C877E5
gpg --keyserver pgp.mit.edu --recv-keys 0x0E3A92E4 0x4B7C3223
0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A
0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6
0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577
0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290
1B678A63 95C877E5
2)F) Verify online the full 40 digit fingerprint(s), or just
`fingerprint,' of the key(s) you've imported. AFAIK, this can only be
done one key at a time, so it's a little time consuming, but it's
easy. Verification of the TorProject signing key's fingerprint is the
most important.
2)F)a) Starting with the signing key, 0x4E2C6E8793298290, visually
compare the "Primary key fingerprint" printed in terminal by gpg to
the "Key fingerprint" listed at torproject.org on their blog [1]. The
"Primary key fingerprint" is a 40 digit alphanumeric string: "EF6E
286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290". The fingerprints and
their related data should match. Here are the commands, followed by
how they appear on my machine:
COMMANDS:
$ gpg --edit-key 0x4E2C6E8793298290
gpg> fpr
gpg> q
HOW THESE COMMANDS APPEAR ON MY MACHINE:
$ gpg --edit-key 0x4E2C6E8793298290
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 4096R/93298290 created: 2014-12-15 expires: never usage: C
trust: unknown validity: undefined
sub 4096R/F65C2036 created: 2014-12-15 expires: never usage: S
sub 4096R/D40814E0 created: 2014-12-15 expires: never usage: S
sub 4096R/589839A3 created: 2014-12-15 expires: never usage: S
[ undef ] (1). Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
gpg> fpr
pub 4096R/93298290 2014-12-15 Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
gpg> q
2)F)b) Check the fingerprint of the signing key with an online Public
Key Server. After changing identities in TorBrowser, surf to the key
server of your choice. An HTTPS connection is ideal here to prevent
any malicious interference.
https://pgp.mit.edu
https://keys.gnupg.net
https://keys.mozilla.org
Once at the Public Key Server's page, select the check box "Show PGP
fingerprints for keys." Go back to terminal, to the output of "gpg>
fpr", and copy the eight digit key number or email address for the key
whose fingerprint you want check online. As above:
gpg> fpr
pub 4096R/93298290 2014-12-15 Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>
Paste the eight digit key number or email address into the Public Key
Server's search box, and do the search. If multiple keys show up, the
one key you're looking for should have the full and correct 40 digit
fingerprint listed with it. Just do a "ctrl-F" search for the full
fingerprint within the page of search results.
Now you reasonably have secondary or tertiary confirmation of the
validity of your copy of TorProject's signing key. Feel free to
re-check at any time.
2)F)c) Optional. Check online the fingerprints of the gpg keys of
the individuals and organizations which have signed TorProject's
signing key. This step combines together a few of the previous steps.
For ease, you may want to open a text editor to keep a list handy of
the fingerprints you've verified; there's a lot of switching back and
forth.
2)F)c)1) Go back to steps 2)C) and 2)D) and get the second list of keys.
63FEE659 4B7C3223 93298290 1B678A63 95C877E5
2)F)c)2) Next, check in gpg the fingerprint of one of the keys. In
this example I've chosen at random the first key on the list, key
63FEE659 from Erinn Clark. Call up in gpg the fingerprint using the
commands in 2)F)a).
$ gpg --edit-key 63FEE659
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048R/63FEE659 created: 2003-10-16 expires: never usage: SC
trust: unknown validity: full
sub 2048R/EB399FD7 created: 2003-10-16 expires: never usage: E
[ full ] (1). Erinn Clark <erinn@xxxxxxxxxxxxxx>
[ full ] (2) Erinn Clark <erinn@xxxxxxxxxx>
[ revoked] (3) Erinn Clark <erinnc@xxxxxxxxxxxxx>
[ full ] (4) Erinn Clark <erinn@xxxxxxxxxxxxxxxx>
gpg> fpr
pub 2048R/63FEE659 2003-10-16 Erinn Clark <erinn@xxxxxxxxxxxxxx>
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
gpg> q
2)F)c)3) Copy (ctrl-c) the full 40 digit fingerprint from your gpg
results. Next, go to TorProject's page "Which PGP keys sign which
packages" [2] and search for the same 40 digit fingerprint, in this
example of key 63FEE659 from Erinn Clark. The fingerprints and
related data between gpg and Torproject should match. If ctrl-c
doesn't work for you, a visual check works too.
pub 2048R/63FEE659 2003-10-16
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
uid Erinn Clark <erinn@xxxxxxxxxxxxxx>
uid Erinn Clark <erinn@xxxxxxxxxx>
uid Erinn Clark <erinn@xxxxxxxxxxxxxxxx>
sub 2048R/EB399FD7 2003-10-16
2)F)c)4) From here, it's faster to check all of the fingerprints of
the keys from step 2)F)c)1) in gpg and at TorProject, as outlined in
the above two steps, than it is to double and triple check with online
Public Key Servers in serial.
2)F)c)5) Repeat as desired the above steps 2)F)c)2) and 2)F)c)3) to
check the fingerprints in gpg against online Public Key Servers of
your choice, as listed in step 2)F)b). Remember to use an HTTPS
connection and switch identities between websites.
2)G) Verify that in GPG the detached signatures (.asc) on the
sha256sums.txt and [TBB].tar.xz files are good. Remember to verify
only files which have already passed the sha256sum verification.
There's been a lot of really good advice on this part of the process
recently, so I'll just show the commands here.
2)G)a) The sha256sums file.
$ gpg --verify sha256sums.txt.asc sha256sums.txt
gpg: Signature made Wed 25 Feb 2015 07:55:34 AM GMT using RSA key ID F65C2036
gpg: Good signature from "Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036
2)G)b) The TorBrowserBundle file.
$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
tor-browser-linux32-4.0.4_en-US.tar.xz
gpg: Signature made Wed 25 Feb 2015 07:54:55 AM GMT using RSA key ID F65C2036
gpg: Good signature from "Tor Browser Developers (signing key)
<torbrowser@xxxxxxxxxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036
3) Securely delete the extra files [4]. All done.
cheers,
gz
[1] https://blog.torproject.org/blog/tor-browser-404-released
[2] https://www.torproject.org/docs/signing-keys.html.en
[3] https://www.torproject.org/docs/verifying-signatures.html.en
[4] https://en.wikipedia.org/wiki/List_of_data-erasing_software
[5] https://dist.torproject.org/torbrowser/
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk