[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4




On Tue, Mar 3, 2015, at 12:49 AM, goofyzrnssm@xxxxxxxxxxx wrote:
> The more complicated verification gets, the more difficult it becomes  
> for `the bad guys' to hack your files.  So there's a real benefit to  
> embracing the advanced verification process.  Learning that process  
> may take some time, but if you're quite seriously worried, then maybe  
> it's very much worth doing.  The steps below outline a fairly  
> anonymous process.  Possibly you may prefer to do all of this  
> someplace other than at home or work, or someplace where no phones or  
> MAC addresses have tracked you.
> 
> 
> 1) Sha256sum verification.
> 
>     1)A) From different exit nodes of the Tor network, download from  
> TorProject [5] three or more copies of each of these files.  To change  
> exit nodes, click "New Identity" in the TorButton menu.
>        1)A)a) [TorBrowserBundle].tar.xz
>        1)A)b) [TorBrowserBundle].tar.xz.asc (Note: ".asc" files are
>        detatched
>           signatures)
>        1)A)c) sha256sums.txt
>        1)A)d) sha256sums.txt.asc
> 
>     1)B) Compare the SHA256 sums of each subset separately (a, then b,  
> then c, then d) amongst themselves, and delete the ones that don't  
> match the others [4].  Re-download new copies if necessary.
> 
>     1)C) Check the SHA256 sums of [TorBrowserBundle].tar.xz against  
> the list sha256sums.txt.  Instructions on how to do this can be found  
> at Tor's page "How to verify signatures for packages" [3].  (On  
> Linux/OSX it's easy; maybe it's easy on Windows, too, I don't know.)
> 
> 
> 2) GPG.  (Note: command syntax shown is for gpg v.1.4.16 on Linux)
> 
> 2)A) Get from TorProject the first list of keys.
>     2)A)a) An easier way is to just download the one signing key,  
> listed at the TorProject Blog [1].
>     2)A)b) The more thorough way is download them all, listed at [2] and
>     below.
> 
> 2)B) Import into gpg the keys on the first list.
>     2)B)a) Just the signing key, listed at [1].
> 
> gpg --keyserver keys.gnupg.net --recv-keys 0x4E2C6E8793298290
> 
> 
>     2)B)b) Or all of the keys listed at [2].
> 
> gpg --keyserver keys.gnupg.net --recv-keys 0x0E3A92E4 0x4B7C3223  
> 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A  
> 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6  
> 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577  
> 0xD255D3F5C868227F 0x4E2C6E8793298290
> 
> 
> 2)C) Get from gpg the second list of keys. These are the gpg keys of  
> individuals and organizations which have signed the TorProject signing  
> key. In the example below, what you're looking for are the eight-digit  
> key numbers listed to the left of the term "sig," which is found in  
> the furthermost lefthand column.
> 
> $ gpg --list-sigs 0x4E2C6E8793298290
> pub   4096R/93298290 2014-12-15
> uid                  Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
> sig          63FEE659 2015-01-13  Erinn Clark <erinn@xxxxxxxxxxxxxx>
> sig          4B7C3223 2014-12-15  Georg Koppen <gk@xxxxxxxxxxxxxx>
> sig 3        93298290 2014-12-15  Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
> sig          1B678A63 2015-02-26  Nicolas Vigier (boklm)  
> <boklm@xxxxxxxxxxxxxxxx>
> sig          95C877E5 2015-03-01  Paulo Garcia <macrinus1789@xxxxxxxxx>
> sub   4096R/F65C2036 2014-12-15
> sig          93298290 2014-12-15  Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
> sub   4096R/D40814E0 2014-12-15
> sig          93298290 2014-12-15  Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
> sub   4096R/589839A3 2014-12-15
> sig          93298290 2014-12-15  Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
> 
> 
> 2)D) Import into gpg the keys on this second list.
> 
> gpg --keyserver keys.gnupg.net --recv-keys 63FEE659 4B7C3223 93298290  
> 1B678A63 95C877E5
> 
> 
> 2)E) Optional.  For verification, re-import all keys from a second  
> and/or third source.  Additional keyservers can be found online with  
> some digging.  "PKS" and "site:.edu" are fairly good search terms.
> 
> gpg --keyserver keys.mozilla.org --recv-keys 0x0E3A92E4 0x4B7C3223  
> 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A  
> 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6  
> 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577  
> 0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290  
> 1B678A63 95C877E5
> 
> gpg --keyserver pgp.mit.edu --recv-keys 0x0E3A92E4 0x4B7C3223  
> 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A  
> 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6  
> 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577  
> 0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290  
> 1B678A63 95C877E5
> 
> 
> 2)F) Verify online the full 40 digit fingerprint(s), or just  
> `fingerprint,' of the key(s) you've imported.  AFAIK, this can only be  
> done one key at a time, so it's a little time consuming, but it's  
> easy.  Verification of the TorProject signing key's fingerprint is the  
> most important.
> 
> 2)F)a) Starting with the signing key, 0x4E2C6E8793298290, visually  
> compare the "Primary key fingerprint" printed in terminal by gpg to  
> the "Key fingerprint" listed at torproject.org on their blog [1].  The  
> "Primary key fingerprint" is a 40 digit alphanumeric string: "EF6E  
> 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290".  The fingerprints and  
> their related data should match.  Here are the commands, followed by  
> how they appear on my machine:
> 
> COMMANDS:
> 
> $ gpg --edit-key 0x4E2C6E8793298290
> gpg> fpr
> gpg> q
> 
> 
> HOW THESE COMMANDS APPEAR ON MY MACHINE:
> 
> $ gpg --edit-key 0x4E2C6E8793298290
> 
> gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> pub  4096R/93298290  created: 2014-12-15  expires: never       usage: C
>                       trust: unknown       validity: undefined
> sub  4096R/F65C2036  created: 2014-12-15  expires: never       usage: S
> sub  4096R/D40814E0  created: 2014-12-15  expires: never       usage: S
> sub  4096R/589839A3  created: 2014-12-15  expires: never       usage: S
> [  undef ] (1). Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
> 
> gpg> fpr
> pub   4096R/93298290 2014-12-15 Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
>   Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329
>   8290
> 
> gpg> q
> 
> 
> 2)F)b) Check the fingerprint of the signing key with an online Public  
> Key Server.  After changing identities in TorBrowser, surf to the key  
> server of your choice.  An HTTPS connection is ideal here to prevent  
> any malicious interference.
> 
> https://pgp.mit.edu
> https://keys.gnupg.net
> https://keys.mozilla.org
> 
> Once at the Public Key Server's page, select the check box "Show PGP  
> fingerprints for keys."  Go back to terminal, to the output of "gpg>  
> fpr", and copy the eight digit key number or email address for the key  
> whose fingerprint you want check online.  As above:
> 
> gpg> fpr
> pub   4096R/93298290 2014-12-15 Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>
> 
> Paste the eight digit key number or email address into the Public Key  
> Server's search box, and do the search.  If multiple keys show up, the  
> one key you're looking for should have the full and correct 40 digit  
> fingerprint listed with it.  Just do a "ctrl-F" search for the full  
> fingerprint within the page of search results.
> 
> Now you reasonably have secondary or tertiary confirmation of the  
> validity of your copy of TorProject's signing key.  Feel free to  
> re-check at any time.
> 
> 
> 2)F)c)  Optional.  Check online the fingerprints of the gpg keys of  
> the individuals and organizations which have signed TorProject's  
> signing key.  This step combines together a few of the previous steps.  
>   For ease, you may want to open a text editor to keep a list handy of  
> the fingerprints you've verified; there's a lot of switching back and  
> forth.
> 
> 2)F)c)1) Go back to steps 2)C) and 2)D) and get the second list of keys.
> 
>     63FEE659 4B7C3223 93298290 1B678A63 95C877E5
> 
> 2)F)c)2) Next, check in gpg the fingerprint of one of the keys.  In  
> this example I've chosen at random the first key on the list, key  
> 63FEE659 from Erinn Clark.  Call up in gpg the fingerprint using the  
> commands in 2)F)a).
> 
> $ gpg --edit-key 63FEE659
> gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> pub  2048R/63FEE659  created: 2003-10-16  expires: never       usage: SC
>                       trust: unknown       validity: full
> sub  2048R/EB399FD7  created: 2003-10-16  expires: never       usage: E
> [  full  ] (1). Erinn Clark <erinn@xxxxxxxxxxxxxx>
> [  full  ] (2)  Erinn Clark <erinn@xxxxxxxxxx>
> [ revoked] (3)  Erinn Clark <erinnc@xxxxxxxxxxxxx>
> [  full  ] (4)  Erinn Clark <erinn@xxxxxxxxxxxxxxxx>
> 
> gpg> fpr
> pub   2048R/63FEE659 2003-10-16 Erinn Clark <erinn@xxxxxxxxxxxxxx>
>   Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE
>   E659
> 
> gpg> q
> 
> 
> 2)F)c)3) Copy (ctrl-c) the full 40 digit fingerprint from your gpg  
> results.  Next, go to TorProject's page "Which PGP keys sign which  
> packages" [2] and search for the same 40 digit fingerprint, in this  
> example of key 63FEE659 from Erinn Clark.  The fingerprints and  
> related data between gpg and Torproject should match.  If ctrl-c  
> doesn't work for you, a visual check works too.
> 
>      pub   2048R/63FEE659 2003-10-16
>            Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610
>            63FE E659
>      uid                  Erinn Clark <erinn@xxxxxxxxxxxxxx>
>      uid                  Erinn Clark <erinn@xxxxxxxxxx>
>      uid                  Erinn Clark <erinn@xxxxxxxxxxxxxxxx>
>      sub   2048R/EB399FD7 2003-10-16
> 
> 
> 2)F)c)4) From here, it's faster to check all of the fingerprints of  
> the keys from step 2)F)c)1) in gpg and at TorProject, as outlined in  
> the above two steps, than it is to double and triple check with online  
> Public Key Servers in serial.
> 
> 
> 2)F)c)5) Repeat as desired the above steps 2)F)c)2) and 2)F)c)3) to  
> check the fingerprints in gpg against online Public Key Servers of  
> your choice, as listed in step 2)F)b).  Remember to use an HTTPS  
> connection and switch identities between websites.
> 
> 
> 2)G) Verify that in GPG the detached signatures (.asc) on the  
> sha256sums.txt and [TBB].tar.xz files are good.  Remember to verify  
> only files which have already passed the sha256sum verification.   
> There's been a lot of really good advice on this part of the process  
> recently, so I'll just show the commands here.
> 
> 2)G)a) The sha256sums file.
> 
> $ gpg --verify sha256sums.txt.asc sha256sums.txt
> gpg: Signature made Wed 25 Feb 2015 07:55:34 AM GMT using RSA key ID
> F65C2036
> gpg: Good signature from "Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329
> 8290
>       Subkey fingerprint: 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C
>       2036
> 
> 
> 2)G)b) The TorBrowserBundle file.
> 
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc  
> tor-browser-linux32-4.0.4_en-US.tar.xz
> gpg: Signature made Wed 25 Feb 2015 07:54:55 AM GMT using RSA key ID
> F65C2036
> gpg: Good signature from "Tor Browser Developers (signing key)  
> <torbrowser@xxxxxxxxxxxxxx>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329
> 8290
>       Subkey fingerprint: 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C
>       2036
> 
> 
> 3) Securely delete the extra files [4].  All done.
> 
> cheers,
> gz
> 
> 
> [1] https://blog.torproject.org/blog/tor-browser-404-released
> [2] https://www.torproject.org/docs/signing-keys.html.en
> [3] https://www.torproject.org/docs/verifying-signatures.html.en
> [4] https://en.wikipedia.org/wiki/List_of_data-erasing_software
> [5] https://dist.torproject.org/torbrowser/
> 
> 
> ----------------------------

Ok....I think that makes it very clear. Excellent work and thanks for
your time.


---------------------
> 
> VFEmail.net - http://www.vfemail.net
> ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of
> the NSA's hands!
> $24.95 ONETIME Lifetime accounts with Privacy Features!  
> 15GB disk! No bandwidth quotas!
> Commercial and Bulk Mail Options!  
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
http://www.fastmail.com - Send your email first class

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk