[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] verifying signature when building from source, deb-style



On Mon, Sep 02, 2013 at 05:30:27PM +0200, Lunar wrote:
> Eugen Leitl:
> > I can verify signatures on Tor source packages, using key fingerprint given
> > out of band. How do I do that for https://www.torproject.org/docs/debian
> > "Building from source" (BTW, amd64 deps are missing quilt)?
> 
> weasel ships signed tag in the package Git repository. See for
> example: <https://gitweb.torproject.org/debian/tor.git/tag/dcf6b6d7d>

Thanks -- for the braindamaged, how do I verify it from there?

E.g. after checking out source a la apt-get source tor, in 
the project directory I have tor_0.2.4.16-rc-1~d70.wheezy+1.dsc
containing

Format: 1.0
Source: tor
Binary: tor, tor-dbg, tor-geoipdb
Architecture: any all
Version: 0.2.4.16-rc-1~d70.wheezy+1
Maintainer: Peter Palfrader <weasel@xxxxxxxxxx>
Homepage: https://www.torproject.org/
Standards-Version: 3.9.4
Vcs-Browser: https://gitweb.torproject.org/debian/tor.git
Vcs-Git: https://git.torproject.org/debian/tor.git
Build-Depends: debhelper (>= 8.1.0~), quilt, libssl-dev, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto, dh-apparmor
Build-Conflicts: libnacl-dev
Package-List: 
 tor deb net optional
 tor-dbg deb debug extra
 tor-geoipdb deb net extra
Checksums-Sha1: 
 ea09d36ee9bf926d5576a252e4ec0382d4cea556 2826883 tor_0.2.4.16-rc.orig.tar.gz
 3a67681dc5e5eddc1df4e9636370a2fd7a317b52 33955 tor_0.2.4.16-rc-1~d70.wheezy+1.diff.gz
Checksums-Sha256: 
 74389d688321f2671bda229b330806e7dfbc685b38bd2ee1aa90d6bc05ed93d9 2826883 tor_0.2.4.16-rc.orig.tar.gz
 996171052e9fe3b2c019aa98ae9fe59f0c21df573c2e1ec96281e6e3e63ed10f 33955 tor_0.2.4.16-rc-1~d70.wheezy+1.diff.gz
Files: 
 8d602f4f7d2ee82b7e8e485560c6bfa4 2826883 tor_0.2.4.16-rc.orig.tar.gz
 1b9134e943eb4e4852a7d0fcba4a1fb0 33955 tor_0.2.4.16-rc-1~d70.wheezy+1.diff.gz

I presume I need the signature for tor_0.2.4.16-rc.orig.tar.gz

https://gitweb.torproject.org/debian/tor.git/tag/dcf6b6d7d refers
to debian-tor-0.2.4.16-rc-1

How do I verify it, in terms of actual commands?
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk