[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #3893 [Website]: Verifying-signatures needs some work
#3893: Verifying-signatures needs some work
-------------------------+--------------------------------------------------
Reporter: mikeperry | Owner: arma
Type: enhancement | Status: assigned
Priority: normal | Milestone:
Component: Website | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by anonymous6748):
One of the unfortunate problems with GnuPG on Windows or MacOSX is that
there's only one distribution of it provided by the gpg4win
http://www.gpg4win.org team. The authenticity of their binary distribution
of GnuPG does not have the same level of assurance one can get from the
distributed copy of GnuPG with a Linux distribution as the iso images for
those usually include signed sha256 checksums.
Furthermore it is not recommended to check the signature of a distribution
of gpg with itself. http://www.gnupg.org/download/integrity_check.html but
I guess for Windows users this cannot be avoided unless they boot up a
LiveCD and check it from within there.
It is unlikely they have a Linux system to check gpg4win's integrity on.
Perhaps a possibility is to use a X.509 signature like the TrueCrypt team
does: http://www.truecrypt.org/docs/?s=digital-signatures
gpg4win's website also isn't https, (hopefully this could change) so the
MITM vulnerability discussed on the Tor verification page could quite well
effect the project page. It is at least fortunate that gpgtools
https://www.gpgtools.org/ uses https and is verified by the StartCom Ltd
certificate authority.
In any case I've made some screenshots from a Windows 7 x64 system. These
should be included with any step-by-step instructions created for Windows.
Another thing should be noted the gpg4win installer now puts gpg in the
user's PATH by default so specifying the full path ie "C:\Program Files
(x86)\GNU\GnuPG\gpg2.exe" is no longer required. Windows users can simply
just call "gpg2" like Linux and MacOSX users.
You should assume your have never used the command prompt, so explaining
each command is best.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3893#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs