Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: torproject/support
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: andinus-contrib/support
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
Can’t automatically merge. Don’t worry, you can still create the pull request.
  • 1 commit
  • 1 file changed
  • 1 contributor

Commits on Mar 18, 2020

  1. Seperate "Downloading the signature" section & add additional info

    @andinus
    andinus committed Mar 18, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    94742dd View commit details
Showing with 9 additions and 5 deletions.
  1. +9 −5 content/tbb/how-to-verify-signature/contents.lr
14 changes: 9 additions & 5 deletions content/tbb/how-to-verify-signature/contents.lr
View file
Original file line number Diff line number Diff line change
@@ -9,11 +9,6 @@ description:
Digital signature is a process ensuring that a certain package was generated by its developers and has not been tampered with.
Below we explain why it is important and how to verify that the Tor program you download is the one we have created and has not been modified by some attacker.

Each file on our [download page](https://www.torproject.org/download/) is accompanied by a file with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures.
They allow you to verify the file you've downloaded is exactly the one that we intended you to get.

For example, `torbrowser-install-win64-9.0_en-US.exe` is accompanied by `torbrowser-install-win64-9.0_en-US.exe.asc`.

We now show how you can verify the downloaded file's digital signature on different operating systems.
Please notice that a signature is dated the moment the package has been signed.
Therefore every time a new file is uploaded a new signature is generated with a different date.
@@ -62,6 +57,15 @@ After importing the key, you can save it to a file (identifying it by fingerprin

gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

This command will save the key to tor.keyring file in current directory. If the output says, `gpg: WARNING: nothing exported` then don't proceed further because the correct key was not imported.

### Downloading the signature

Each file on our [download page](https://www.torproject.org/download/) is accompanied by a file with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures.
They allow you to verify the file you've downloaded is exactly the one that we intended you to get.

For example, `torbrowser-install-win64-9.0_en-US.exe` is accompanied by `torbrowser-install-win64-9.0_en-US.exe.asc`.

### Verifying the signature

To verify the signature of the package you downloaded, you will need to download the corresponding ".asc" signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.