Verifying PGP signatures
Jump to navigation
Jump to search
Before you download Tor
- For more info, see the guide on the official Tor website: https://www.torproject.org/docs/verifying-signatures.html.en
To follow this guide, one of these three programs should be used:
- GNU Privacy Assistant—comes with the GPG binary package for almost every platform. It is usually found in the same directory as the
gpg
command.*Kleopatra—comes with GnuPG4win (http://gpg4win.org). It has a more pleasant interface, but is more prone to crashing. It should be available in the Quick Start menu after the program is installed.*gpg via command-line interface—always available, but slightly more cumbersome and error-prone. On most systems, go to a command prompt and type thegpg
command. On Windows, the command is placed in the%SystemDrive%\Progra~1\GNU\GnuPG\pub
directory after it is installed.
Most Tor binary executable packages are signed by Erinn Clark and can be verified using her PGP public key.
- Obtain the PGP public key
The public key can be obtained through one of several ways:
- Retrieving it from a keyserver
It is easiest just to use hkp://keys.gnupg.net which is the default keyserver. The fingerprint of Erinn’s public key is 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659. Her key ID is 0x followed by the last 8 characters of the fingerprint – namely, 0x63FEE659.- GNU Privacy Assistant:
- In the Key Manager, click the Preferences button (or select it from the Edit menu). The address
hkp://keys.gnupg.net
should be filled in the Default keyserver field. Click OK. - Click the Server menu and select Retrieve keys. A small dialog box should pop up. Input
0x63FEE659
for Key ID. Click OK. - If the key is found, it will be automatically imported to your keyring.
- In the Key Manager, click the Preferences button (or select it from the Edit menu). The address
- Kleopatra:
- Click the Settings menu and select Configure Kleopatra. When the Configure window comes up, go to the Directory Services section. You should see “hkp://keys.gnupg.net” listed with the scheme “hkp” and the “OpenGPG” box checked. Click OK.
- With the main window in focus, click the Lookup Certificates on Server button (with a picture of binoculars), or select it from the File menu. The Certificate Lookup window should pop up.
- Input
0x63FEE659
in the Find field and click Search. - If the key is found, select it and click Import to import it to your keyring.
- Command line:
Typegpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63fee659
- GNU Privacy Assistant:
- Obtaining Erinn's key in person
This is considered the most secure, although she is an individual and cannot always give out her key to the thousands of people who use Tor regularly.
Since Erinn is a Debian developer, you might be able to meet her at a free software, open source software, or Linux IT conference. Hopefully there will be a sign somewhere displaying a hardcopy of her key. In that case, you can transcribe it to a keyfile (see below). If not, then maybe you can agree on another way to transfer it (such as a key-signing party). - Importing the key from a keyfile
Generally, the keyfile is obtained either in person (see above), by asking someone else to export it from a keyring (gpg --export -a 0x63fee659 > erinn_clark.asc
), through a dedicated URL (for example, http://www.cacert.org/certs/cacert.asc) or by copying-and-pasting from a webpage (for example, http://dev.mysql.com/doc/refman/5.0/en/checking-gpg-signature.html).
There is a keyfile at http://deb.torproject.org/archive-key.asc which is used to verify the checksums of the Debian and Ubuntu GNU/Linux versions of Tor and Vidalia. For other operating systems (such as Windows or Mac OS), the key must be obtained using another method.
Once the user has a keyfile, the key may be imported in the following manner:- GNU Privacy Assistant:
- In the Key Manager, click the Import button. A file selector should pop up.
- Locate the file then click Open. The key should be automatically imported.
- Kleopatra:
- Drag-and-drop the file into the main window. A context menu pops up. Choose Import Certificates, or
- Click the Import Certificates button, or select it from the File menu. A file selector should pop up.
Locate the file then click Open. The key should be automatically imported.
- Command line:
Typegpg --import
followed by the name of the signature file and press <ENTER>. A modern console emulator will allow you to drag-and-drop the file instead of typing out its name.
- GNU Privacy Assistant:
- Retrieving it from a keyserver
- Double-check the key's fingerprint
You will do this by physically reading it.- GNU Privacy Assistant:
- In the Key Manager, click the Key ID column to sort the keys numerically by ID.
- Scroll until you reach an item with ID number 63FEE659. It should have the name Erinn Clark <erinn@torproject.org>.
- Select that item.
- In the Details tab below, you should see a row that says Key ID: 63FEE659.
- Check that the row below it says: Fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
- Kleopatra:
- After importing the key, it should be listed in a new tab named Imported Certificates. If not, then open a new tab with the “All Certificates” option.
- Look for an item with Key-ID 63FEE659.
- Get the key's properties by either:
- Double-clicking the item,
- Right clicking the item and choosing Certificate Details, or
- Selecting the item, going to the View menu, then selecting Certificate Details
- Command line:
- Type
gpg --fingerprint 0x63fee659
- Check that the program prints the following:
- Type
- GNU Privacy Assistant:
pub 2048R/63FEE659 2003-10-16 Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659 uid Erinn Clark <erinn@torproject.org> uid Erinn Clark <erinn@debian.org> uid Erinn Clark <erinn@double-helix.org> sub 2048R/EB399FD7 2003-10-16