https://thehidden-wiki.org/wiki/index.php?action=history&feed=atom&title=Verifying_PGP_signaturesVerifying PGP signatures - Revision history2026-04-04T06:59:07ZRevision history for this page on the wikiMediaWiki 1.33.1https://thehidden-wiki.org/wiki/index.php?title=Verifying_PGP_signatures&diff=6&oldid=prevAdmin: Created page with "== Before you download Tor == :''For more info'', see the guide on the official Tor website: https://www.torproject.org/docs/verifying-signatures.html.en <div style="border:..."2019-10-31T21:07:26Z<p>Created page with "== Before you download Tor == :''For more info'', see the guide on the official Tor website: https://www.torproject.org/docs/verifying-signatures.html.en <div style="border:..."</p>
<p><b>New page</b></p><div>== Before you download Tor ==<br />
:''For more info'', see the guide on the official Tor website: https://www.torproject.org/docs/verifying-signatures.html.en<br />
<br />
<div style="border: 1px solid #bce; background: #f8fcff; padding: 8px; width: 60%; margin-left: 5%"><br />
To follow this guide, one of these three programs should be used: <br />
*'''GNU Privacy Assistant'''&mdash;comes with the GPG binary package for almost every platform. It is usually found in the same directory as the <code>gpg</code> command.*'''Kleopatra'''&mdash;comes with GnuPG4win (http://gpg4win.org). It has a more pleasant interface, but is more prone to crashing. It should be available in the '''Quick Start''' menu after the program is installed.*'''gpg via command-line interface'''&mdash;always available, but slightly more cumbersome and error-prone. On most systems, go to a command prompt and type the <code>gpg</code> command. On Windows, the command is placed in the <code>%SystemDrive%\Progra~1\GNU\GnuPG\pub</code> directory after it is installed. <br />
</div><br />
<br />
Most Tor binary executable packages are '''signed''' by Erinn Clark and can be verified using her PGP '''public key'''.<br />
<br />
#'''Obtain the PGP public key'''<br />The public key can be obtained through one of several ways:<br /><br />
#*'''Retrieving it from a keyserver'''<br />It is easiest just to use '''hkp://keys.gnupg.net''' which is the default keyserver. The fingerprint of Erinn&rsquo;s public key is '''8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659'''. Her key ID is '''0x''' followed by the last 8 characters of the fingerprint &ndash; namely, '''0x63FEE659'''. <br />
#**GNU Privacy Assistant:<br />
#**#In the '''Key Manager''', click the '''Preferences''' button (or select it from the Edit menu). The address <code>hkp://keys.gnupg.net</code> should be filled in the '''Default keyserver''' field. Click OK. <br />
#**#Click the '''Server''' menu and select '''Retrieve keys'''. A small dialog box should pop up. Input <code>0x63FEE659</code> for '''Key ID'''. Click OK.<br />
#**#If the key is found, it will be automatically imported to your keyring.<br />
#**Kleopatra:<br />
#**#Click the '''Settings''' menu and select '''Configure Kleopatra'''. When the Configure window comes up, go to the '''Directory Services''' section. You should see &ldquo;hkp://keys.gnupg.net&rdquo; listed with the scheme &ldquo;hkp&rdquo; and the &ldquo;OpenGPG&rdquo; box checked. Click OK.<br />
#**#With the main window in focus, click the '''Lookup Certificates on Server''' button (with a picture of binoculars), or select it from the File menu. The Certificate Lookup window should pop up.<br />
#**#Input <code>0x63FEE659</code> in the '''Find''' field and click '''Search'''. <br />
#**#If the key is found, select it and click '''Import''' to import it to your keyring.<br />
#**Command line:<br />Type <code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63fee659</code><br /><br /> <br />
#*'''Obtaining Erinn's key in person'''<br />This is considered the most secure, although she is an individual and cannot always give out her key to the thousands of people who use Tor regularly.<br />Since Erinn is a Debian developer, you might be able to meet her at a free software, open source software, or Linux IT conference. Hopefully there will be a sign somewhere displaying a hardcopy of her key. In that case, you can transcribe it to a keyfile (see below). If not, then maybe you can agree on another way to transfer it (such as a [http://www.gnupg.org/documentation/howtos.en.html key-signing party]).<br /><br /> <br />
#*'''Importing the key from a keyfile'''<br />Generally, the keyfile is obtained either in person (see above), by asking someone else to export it from a keyring (<code>gpg --export -a 0x63fee659 > erinn_clark.asc</code>), through a dedicated URL (for example, http://www.cacert.org/certs/cacert.asc) or by copying-and-pasting from a webpage (for example, http://dev.mysql.com/doc/refman/5.0/en/checking-gpg-signature.html).<br /><br />There is a keyfile at http://deb.torproject.org/archive-key.asc which is used to verify the [http://deb.torproject.org/torproject.org/dists/ checksums] of the [http://deb.torproject.org/torproject.org/pool/main/ Debian and Ubuntu GNU/Linux versions of Tor and Vidalia]. For other operating systems (such as Windows or Mac OS), the key must be obtained using another method.<br /><br />Once the user has a keyfile, the key may be imported in the following manner:<br />
#**GNU Privacy Assistant:<br />
#**#In the '''Key Manager''', click the '''Import''' button. A file selector should pop up.<br />
#**#Locate the file then click '''Open'''. The key should be automatically imported.<br />
#**Kleopatra:<br />
#***Drag-and-drop the file into the main window. A context menu pops up. Choose '''Import Certificates''', or<br />
#***Click the '''Import Certificates''' button, or select it from the File menu. A file selector should pop up.<br />Locate the file then click '''Open'''. The key should be automatically imported.<br />
#**Command line:<br />Type <code>gpg --import </code> followed by the name of the signature file and press <ENTER>. A modern console emulator will allow you to drag-and-drop the file instead of typing out its name.<br /><br /><br />
#'''Double-check the key's fingerprint'''<br />You will do this by physically reading it.<br />
#*GNU Privacy Assistant:<br />
#*#In the '''Key Manager''', click the '''Key ID''' column to sort the keys numerically by ID.<br />
#*#Scroll until you reach an item with ID number '''63FEE659'''. It should have the name '''Erinn Clark <erinn@torproject.org>'''.<br />
#*#Select that item.<br />
#*#In the '''Details''' tab below, you should see a row that says '''Key ID: 63FEE659'''.<br />
#*#Check that the row below it says: '''Fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659'''<br />
#*Kleopatra:<br />
#*#After importing the key, it should be listed in a new tab named '''Imported Certificates'''. If not, then open a new tab with the &ldquo;All Certificates&rdquo; option.<br />
#*#Look for an item with Key-ID '''63FEE659'''.<br />
#*#Get the key's properties by either:<br />
#*#*Double-clicking the item,<br />
#*#*Right clicking the item and choosing '''Certificate Details''', or<br />
#*#*Selecting the item, going to the '''View''' menu, then selecting '''Certificate Details'''<br />
#*Command line:<br /><br />
#*#Type <code>gpg --fingerprint 0x63fee659</code><br />
#*#Check that the program prints the following:<br /><br />
<pre style="width: 60em"><br />
pub 2048R/63FEE659 2003-10-16<br />
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659<br />
uid Erinn Clark <erinn@torproject.org><br />
uid Erinn Clark <erinn@debian.org><br />
uid Erinn Clark <erinn@double-helix.org><br />
sub 2048R/EB399FD7 2003-10-16<br />
</pre></div>Admin