[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file



OK, I guess I know too less about PGP. So, if someone does not have the private key, they cannot provide the right signature. So even if you download the signature and the file from a fake page, you would notice by checking the authenticity. Is that right?

Thanks again. :-)

2011/9/23 <tor@xxxxxxxxxxxxxxxxxx>
On 23/09/11 15:10, Michael Gomboc wrote:

> Thanks Andrew. But when the SSL certificate is faked....

If you have the public key which corresponds to the private key which
was used to create the signature, then it doesn't matter if the SSL
certificate is faked. Even using non-SSL http would be fine.

https://www.torproject.org/docs/verifying-signatures. hhtml

If the file, or the signature file you download are tampered with, doing
this verification will alert you to that fact.

--
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk




--
Michael Gomboc

pgp-id: 0x5D41FDF8

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk