Verifying PGP signatures

From The Hidden Wiki
Jump to navigationJump to search

Before you download Tor

For more info, see the guide on the official Tor website: https://www.torproject.org/docs/verifying-signatures.html.en

To follow this guide, one of these three programs should be used:

  • GNU Privacy Assistant—comes with the GPG binary package for almost every platform. It is usually found in the same directory as the gpg command.*Kleopatra—comes with GnuPG4win (https://gpg4win.org). It has a more pleasant interface, but is more prone to crashing. It should be available in the Quick Start menu after the program is installed.*gpg via command-line interface—always available, but slightly more cumbersome and error-prone. On most systems, go to a command prompt and type the gpg command. On Windows, the command is placed in the %SystemDrive%\Progra~1\GNU\GnuPG\pub directory after it is installed.

Most Tor binary executable packages are signed by Erinn Clark and can be verified using her PGP public key.

  1. Obtain the PGP public key
    The public key can be obtained through one of several ways:
    • Retrieving it from a keyserver
      It is easiest just to use hkp://keys.gnupg.net which is the default keyserver. The fingerprint of Erinn’s public key is 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659. Her key ID is 0x followed by the last 8 characters of the fingerprint – namely, 0x63FEE659.
      • GNU Privacy Assistant:
        1. In the Key Manager, click the Preferences button (or select it from the Edit menu). The address hkp://keys.gnupg.net should be filled in the Default keyserver field. Click OK.
        2. Click the Server menu and select Retrieve keys. A small dialog box should pop up. Input 0x63FEE659 for Key ID. Click OK.
        3. If the key is found, it will be automatically imported to your keyring.
      • Kleopatra:
        1. Click the Settings menu and select Configure Kleopatra. When the Configure window comes up, go to the Directory Services section. You should see “hkp://keys.gnupg.net” listed with the scheme “hkp” and the “OpenGPG” box checked. Click OK.
        2. With the main window in focus, click the Lookup Certificates on Server button (with a picture of binoculars), or select it from the File menu. The Certificate Lookup window should pop up.
        3. Input 0x63FEE659 in the Find field and click Search.
        4. If the key is found, select it and click Import to import it to your keyring.
      • Command line:
        Type gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63fee659

    • Obtaining Erinn's key in person
      This is considered the most secure, although she is an individual and cannot always give out her key to the thousands of people who use Tor regularly.
      Since Erinn is a Debian developer, you might be able to meet her at a free software, open source software, or Linux IT conference. Hopefully there will be a sign somewhere displaying a hardcopy of her key. In that case, you can transcribe it to a keyfile (see below). If not, then maybe you can agree on another way to transfer it (such as a key-signing party).

    • Importing the key from a keyfile
      Generally, the keyfile is obtained either in person (see above), by asking someone else to export it from a keyring (gpg --export -a 0x63fee659 > erinn_clark.asc), through a dedicated URL (for example, https://www.cacert.org/certs/cacert.asc) or by copying-and-pasting from a webpage (for example, https://dev.mysql.com/doc/refman/5.0/en/checking-gpg-signature.html).

      There is a keyfile at https://deb.torproject.org/archive-key.asc which is used to verify the checksums of the Debian and Ubuntu GNU/Linux versions of Tor and Vidalia. For other operating systems (such as Windows or Mac OS), the key must be obtained using another method.

      Once the user has a keyfile, the key may be imported in the following manner:
      • GNU Privacy Assistant:
        1. In the Key Manager, click the Import button. A file selector should pop up.
        2. Locate the file then click Open. The key should be automatically imported.
      • Kleopatra:
        • Drag-and-drop the file into the main window. A context menu pops up. Choose Import Certificates, or
        • Click the Import Certificates button, or select it from the File menu. A file selector should pop up.
          Locate the file then click Open. The key should be automatically imported.
      • Command line:
        Type gpg --import followed by the name of the signature file and press <ENTER>. A modern console emulator will allow you to drag-and-drop the file instead of typing out its name.

  2. Double-check the key's fingerprint
    You will do this by physically reading it.
    • GNU Privacy Assistant:
      1. In the Key Manager, click the Key ID column to sort the keys numerically by ID.
      2. Scroll until you reach an item with ID number 63FEE659. It should have the name Erinn Clark [email protected]
      3. Select that item.
      4. In the Details tab below, you should see a row that says Key ID: 63FEE659.
      5. Check that the row below it says: Fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
    • Kleopatra:
      1. After importing the key, it should be listed in a new tab named Imported Certificates. If not, then open a new tab with the “All Certificates” option.
      2. Look for an item with Key-ID 63FEE659.
      3. Get the key's properties by either:
        • Double-clicking the item,
        • Right clicking the item and choosing Certificate Details, or
        • Selecting the item, going to the View menu, then selecting Certificate Details
    • Command line:
      1. Type gpg --fingerprint 0x63fee659
      2. Check that the program prints the following:
pub   2048R/63FEE659 2003-10-16
      Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
uid                  Erinn Clark [email protected]
uid                  Erinn Clark [email protected]
uid                  Erinn Clark [email protected]
sub   2048R/EB399FD7 2003-10-16