[tor-dev] File verification GUI tool

Subject: [tor-dev] File verification GUI tool

From: Sherief Alaa <sheriefalaa.w@xxxxxxxxx>

Date: Mon, 23 Sep 2013 22:55:54 +0200

Delivery-date: Mon, 23 Sep 2013 16:56:16 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=DDOhh3aN6pV/BxziroB2y7OrUiZgq0upsLv15csUVQs=; b=V7AFGn7umRvMbV9w2KcGJSKoIeazsT6bVEYb7ODY8vjtN5R1JTFb4AH74Hyxvgsp1t 0R2e6WD4GCXVFsLHXbrL1XWyNsKjHtNeLpQA7e3/TlPp9Iq1Ws6Dxcg8utn5knuFzT6Z GtuHxSEs4D1+d0resJn6Z853XgPW2z0MrMb1RSZ0I6Vw+uvkU3L7iIT8yqPAfSTwrl3s JtzlX3zcMjSYLh/oGtxBHmwyzkGsQTABR8kXMGDgmg616sutpgEUUadZ1WQiU6af4khg LmMufOC9wEIcgYMfGtH4gFw5BRSwGNNyqwK0NFRX9YWSBSEWvIfHjx4aXQkfyGEF3M5N wcWw==

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi Everyone,

(moving this email from the support-team ML to tor-dev as Runa suggested.)

I am starting to work on a small GUI tool for file verification because I find guiding users through the verification process on Windows/Mac through the command line painful.

Tools in use:

- Python 3.3 or 2.7 (still didn't decide yet).

- PyQT

- python-gnupg-0.3.5

I might also add a log window and a save log button to see what went wrong during the verification process.

Attached is a draft design of how the tool would look like.

On Mon, Sep 23, 2013 at 7:12 PM, Lunar <lunar@xxxxxxxxxxxxxx> wrote:

>How do you think users will be able to install such a tool on their

>system?

There won't be any installation required It's a single executable.

>More importantly, how will they be able to ensure that it's

>not a tampered version?

I've thought about that and few things came to mind:

- Include the executable inside TBB.

- Host it somewhere and also provide a SHA-256 hash on a website or in a file.

But this is all an endless chain because lets say I download TBB, then download gpg to verify it but then how do I make sure that gpg it self wasn't tampered with? (assuming I don't have it installed already.)

Any help or suggestions would be much appreciated.

Thanks.

Sherief Alaa

pgp 0x8623B882

Attachment: FileVerifierGUI.png
Description: PNG image

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev