[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Problems? Verifying signatures in Tor 4.0.4



The more complicated verification gets, the more difficult it becomes for `the bad guys' to hack your files. So there's a real benefit to embracing the advanced verification process. Learning that process may take some time, but if you're quite seriously worried, then maybe it's very much worth doing. The steps below outline a fairly anonymous process. Possibly you may prefer to do all of this someplace other than at home or work, or someplace where no phones or MAC addresses have tracked you.


1) Sha256sum verification.

1)A) From different exit nodes of the Tor network, download from TorProject [5] three or more copies of each of these files. To change exit nodes, click "New Identity" in the TorButton menu.
      1)A)a) [TorBrowserBundle].tar.xz
      1)A)b) [TorBrowserBundle].tar.xz.asc (Note: ".asc" files are detatched
         signatures)
      1)A)c) sha256sums.txt
      1)A)d) sha256sums.txt.asc

1)B) Compare the SHA256 sums of each subset separately (a, then b, then c, then d) amongst themselves, and delete the ones that don't match the others [4]. Re-download new copies if necessary.

1)C) Check the SHA256 sums of [TorBrowserBundle].tar.xz against the list sha256sums.txt. Instructions on how to do this can be found at Tor's page "How to verify signatures for packages" [3]. (On Linux/OSX it's easy; maybe it's easy on Windows, too, I don't know.)


2) GPG.  (Note: command syntax shown is for gpg v.1.4.16 on Linux)

2)A) Get from TorProject the first list of keys.
2)A)a) An easier way is to just download the one signing key, listed at the TorProject Blog [1].
   2)A)b) The more thorough way is download them all, listed at [2] and below.

2)B) Import into gpg the keys on the first list.
   2)B)a) Just the signing key, listed at [1].

gpg --keyserver keys.gnupg.net --recv-keys 0x4E2C6E8793298290


   2)B)b) Or all of the keys listed at [2].

gpg --keyserver keys.gnupg.net --recv-keys 0x0E3A92E4 0x4B7C3223 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577 0xD255D3F5C868227F 0x4E2C6E8793298290


2)C) Get from gpg the second list of keys. These are the gpg keys of individuals and organizations which have signed the TorProject signing key. In the example below, what you're looking for are the eight-digit key numbers listed to the left of the term "sig," which is found in the furthermost lefthand column.

$ gpg --list-sigs 0x4E2C6E8793298290
pub   4096R/93298290 2014-12-15
uid Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>
sig          63FEE659 2015-01-13  Erinn Clark <erinn@xxxxxxxxxxxxxx>
sig          4B7C3223 2014-12-15  Georg Koppen <gk@xxxxxxxxxxxxxx>
sig 3 93298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx> sig 1B678A63 2015-02-26 Nicolas Vigier (boklm) <boklm@xxxxxxxxxxxxxxxx>
sig          95C877E5 2015-03-01  Paulo Garcia <macrinus1789@xxxxxxxxx>
sub   4096R/F65C2036 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>
sub   4096R/D40814E0 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>
sub   4096R/589839A3 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>


2)D) Import into gpg the keys on this second list.

gpg --keyserver keys.gnupg.net --recv-keys 63FEE659 4B7C3223 93298290 1B678A63 95C877E5


2)E) Optional. For verification, re-import all keys from a second and/or third source. Additional keyservers can be found online with some digging. "PKS" and "site:.edu" are fairly good search terms.

gpg --keyserver keys.mozilla.org --recv-keys 0x0E3A92E4 0x4B7C3223 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577 0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290 1B678A63 95C877E5

gpg --keyserver pgp.mit.edu --recv-keys 0x0E3A92E4 0x4B7C3223 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577 0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290 1B678A63 95C877E5


2)F) Verify online the full 40 digit fingerprint(s), or just `fingerprint,' of the key(s) you've imported. AFAIK, this can only be done one key at a time, so it's a little time consuming, but it's easy. Verification of the TorProject signing key's fingerprint is the most important.

2)F)a) Starting with the signing key, 0x4E2C6E8793298290, visually compare the "Primary key fingerprint" printed in terminal by gpg to the "Key fingerprint" listed at torproject.org on their blog [1]. The "Primary key fingerprint" is a 40 digit alphanumeric string: "EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290". The fingerprints and their related data should match. Here are the commands, followed by how they appear on my machine:

COMMANDS:

$ gpg --edit-key 0x4E2C6E8793298290
gpg> fpr
gpg> q


HOW THESE COMMANDS APPEAR ON MY MACHINE:

$ gpg --edit-key 0x4E2C6E8793298290

gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  4096R/93298290  created: 2014-12-15  expires: never       usage: C
                     trust: unknown       validity: undefined
sub  4096R/F65C2036  created: 2014-12-15  expires: never       usage: S
sub  4096R/D40814E0  created: 2014-12-15  expires: never       usage: S
sub  4096R/589839A3  created: 2014-12-15  expires: never       usage: S
[ undef ] (1). Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>

gpg> fpr
pub 4096R/93298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>
 Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

gpg> q


2)F)b) Check the fingerprint of the signing key with an online Public Key Server. After changing identities in TorBrowser, surf to the key server of your choice. An HTTPS connection is ideal here to prevent any malicious interference.

https://pgp.mit.edu
https://keys.gnupg.net
https://keys.mozilla.org

Once at the Public Key Server's page, select the check box "Show PGP fingerprints for keys." Go back to terminal, to the output of "gpg> fpr", and copy the eight digit key number or email address for the key whose fingerprint you want check online. As above:

gpg> fpr
pub 4096R/93298290 2014-12-15 Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>

Paste the eight digit key number or email address into the Public Key Server's search box, and do the search. If multiple keys show up, the one key you're looking for should have the full and correct 40 digit fingerprint listed with it. Just do a "ctrl-F" search for the full fingerprint within the page of search results.

Now you reasonably have secondary or tertiary confirmation of the validity of your copy of TorProject's signing key. Feel free to re-check at any time.


2)F)c) Optional. Check online the fingerprints of the gpg keys of the individuals and organizations which have signed TorProject's signing key. This step combines together a few of the previous steps. For ease, you may want to open a text editor to keep a list handy of the fingerprints you've verified; there's a lot of switching back and forth.

2)F)c)1) Go back to steps 2)C) and 2)D) and get the second list of keys.

   63FEE659 4B7C3223 93298290 1B678A63 95C877E5

2)F)c)2) Next, check in gpg the fingerprint of one of the keys. In this example I've chosen at random the first key on the list, key 63FEE659 from Erinn Clark. Call up in gpg the fingerprint using the commands in 2)F)a).

$ gpg --edit-key 63FEE659
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  2048R/63FEE659  created: 2003-10-16  expires: never       usage: SC
                     trust: unknown       validity: full
sub  2048R/EB399FD7  created: 2003-10-16  expires: never       usage: E
[  full  ] (1). Erinn Clark <erinn@xxxxxxxxxxxxxx>
[  full  ] (2)  Erinn Clark <erinn@xxxxxxxxxx>
[ revoked] (3)  Erinn Clark <erinnc@xxxxxxxxxxxxx>
[  full  ] (4)  Erinn Clark <erinn@xxxxxxxxxxxxxxxx>

gpg> fpr
pub   2048R/63FEE659 2003-10-16 Erinn Clark <erinn@xxxxxxxxxxxxxx>
 Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

gpg> q


2)F)c)3) Copy (ctrl-c) the full 40 digit fingerprint from your gpg results. Next, go to TorProject's page "Which PGP keys sign which packages" [2] and search for the same 40 digit fingerprint, in this example of key 63FEE659 from Erinn Clark. The fingerprints and related data between gpg and Torproject should match. If ctrl-c doesn't work for you, a visual check works too.

    pub   2048R/63FEE659 2003-10-16
          Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
    uid                  Erinn Clark <erinn@xxxxxxxxxxxxxx>
    uid                  Erinn Clark <erinn@xxxxxxxxxx>
    uid                  Erinn Clark <erinn@xxxxxxxxxxxxxxxx>
    sub   2048R/EB399FD7 2003-10-16


2)F)c)4) From here, it's faster to check all of the fingerprints of the keys from step 2)F)c)1) in gpg and at TorProject, as outlined in the above two steps, than it is to double and triple check with online Public Key Servers in serial.


2)F)c)5) Repeat as desired the above steps 2)F)c)2) and 2)F)c)3) to check the fingerprints in gpg against online Public Key Servers of your choice, as listed in step 2)F)b). Remember to use an HTTPS connection and switch identities between websites.


2)G) Verify that in GPG the detached signatures (.asc) on the sha256sums.txt and [TBB].tar.xz files are good. Remember to verify only files which have already passed the sha256sum verification. There's been a lot of really good advice on this part of the process recently, so I'll just show the commands here.

2)G)a) The sha256sums file.

$ gpg --verify sha256sums.txt.asc sha256sums.txt
gpg: Signature made Wed 25 Feb 2015 07:55:34 AM GMT using RSA key ID F65C2036
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036


2)G)b) The TorBrowserBundle file.

$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc tor-browser-linux32-4.0.4_en-US.tar.xz
gpg: Signature made Wed 25 Feb 2015 07:54:55 AM GMT using RSA key ID F65C2036
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@xxxxxxxxxxxxxx>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036


3) Securely delete the extra files [4].  All done.

cheers,
gz


[1] https://blog.torproject.org/blog/tor-browser-404-released
[2] https://www.torproject.org/docs/signing-keys.html.en
[3] https://www.torproject.org/docs/verifying-signatures.html.en
[4] https://en.wikipedia.org/wiki/List_of_data-erasing_software
[5] https://dist.torproject.org/torbrowser/


-------------------------------------------------

VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! --
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk