On Tue, Mar 3, 2015, at 12:49 AM, goofyzrn...@vfemail.net wrote: > The more complicated verification gets, the more difficult it becomes > for `the bad guys' to hack your files. So there's a real benefit to > embracing the advanced verification process. Learning that process > may take some time, but if you're quite seriously worried, then maybe > it's very much worth doing. The steps below outline a fairly > anonymous process. Possibly you may prefer to do all of this > someplace other than at home or work, or someplace where no phones or > MAC addresses have tracked you. > > > 1) Sha256sum verification. > > 1)A) From different exit nodes of the Tor network, download from > TorProject [5] three or more copies of each of these files. To change > exit nodes, click "New Identity" in the TorButton menu. > 1)A)a) [TorBrowserBundle].tar.xz > 1)A)b) [TorBrowserBundle].tar.xz.asc (Note: ".asc" files are > detatched > signatures) > 1)A)c) sha256sums.txt > 1)A)d) sha256sums.txt.asc > > 1)B) Compare the SHA256 sums of each subset separately (a, then b, > then c, then d) amongst themselves, and delete the ones that don't > match the others [4]. Re-download new copies if necessary. > > 1)C) Check the SHA256 sums of [TorBrowserBundle].tar.xz against > the list sha256sums.txt. Instructions on how to do this can be found > at Tor's page "How to verify signatures for packages" [3]. (On > Linux/OSX it's easy; maybe it's easy on Windows, too, I don't know.) > > > 2) GPG. (Note: command syntax shown is for gpg v.1.4.16 on Linux) > > 2)A) Get from TorProject the first list of keys. > 2)A)a) An easier way is to just download the one signing key, > listed at the TorProject Blog [1]. > 2)A)b) The more thorough way is download them all, listed at [2] and > below. > > 2)B) Import into gpg the keys on the first list. > 2)B)a) Just the signing key, listed at [1]. > > gpg --keyserver keys.gnupg.net --recv-keys 0x4E2C6E8793298290 > > > 2)B)b) Or all of the keys listed at [2]. > > gpg --keyserver keys.gnupg.net --recv-keys 0x0E3A92E4 0x4B7C3223 > 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A > 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6 > 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577 > 0xD255D3F5C868227F 0x4E2C6E8793298290 > > > 2)C) Get from gpg the second list of keys. These are the gpg keys of > individuals and organizations which have signed the TorProject signing > key. In the example below, what you're looking for are the eight-digit > key numbers listed to the left of the term "sig," which is found in > the furthermost lefthand column. > > $ gpg --list-sigs 0x4E2C6E8793298290 > pub 4096R/93298290 2014-12-15 > uid Tor Browser Developers (signing key) > <torbrow...@torproject.org> > sig 63FEE659 2015-01-13 Erinn Clark <er...@torproject.org> > sig 4B7C3223 2014-12-15 Georg Koppen <g...@torproject.org> > sig 3 93298290 2014-12-15 Tor Browser Developers (signing key) > <torbrow...@torproject.org> > sig 1B678A63 2015-02-26 Nicolas Vigier (boklm) > <bo...@mars-attacks.org> > sig 95C877E5 2015-03-01 Paulo Garcia <macrinus1...@gmail.com> > sub 4096R/F65C2036 2014-12-15 > sig 93298290 2014-12-15 Tor Browser Developers (signing key) > <torbrow...@torproject.org> > sub 4096R/D40814E0 2014-12-15 > sig 93298290 2014-12-15 Tor Browser Developers (signing key) > <torbrow...@torproject.org> > sub 4096R/589839A3 2014-12-15 > sig 93298290 2014-12-15 Tor Browser Developers (signing key) > <torbrow...@torproject.org> > > > 2)D) Import into gpg the keys on this second list. > > gpg --keyserver keys.gnupg.net --recv-keys 63FEE659 4B7C3223 93298290 > 1B678A63 95C877E5 > > > 2)E) Optional. For verification, re-import all keys from a second > and/or third source. Additional keyservers can be found online with > some digging. "PKS" and "site:.edu" are fairly good search terms. > > gpg --keyserver keys.mozilla.org --recv-keys 0x0E3A92E4 0x4B7C3223 > 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A > 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6 > 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577 > 0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290 > 1B678A63 95C877E5 > > gpg --keyserver pgp.mit.edu --recv-keys 0x0E3A92E4 0x4B7C3223 > 0xD0220E4B 0x23291265 0x28988BF5 0x19F78451 0x165733EA 0x8D29319A > 0x63FEE659 0xF1F5C9B5 0x31B0974B 0x6B4D6475 0x886DDD89 0x9ABBEEC6 > 0xC5AA446D 0xC11F62765 0xBE2CD9C1 0xC82E0039 0xE1DEC577 > 0xD255D3F5C868227F 0x4E2C6E8793298290 63FEE659 4B7C3223 93298290 > 1B678A63 95C877E5 > > > 2)F) Verify online the full 40 digit fingerprint(s), or just > `fingerprint,' of the key(s) you've imported. AFAIK, this can only be > done one key at a time, so it's a little time consuming, but it's > easy. Verification of the TorProject signing key's fingerprint is the > most important. > > 2)F)a) Starting with the signing key, 0x4E2C6E8793298290, visually > compare the "Primary key fingerprint" printed in terminal by gpg to > the "Key fingerprint" listed at torproject.org on their blog [1]. The > "Primary key fingerprint" is a 40 digit alphanumeric string: "EF6E > 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290". The fingerprints and > their related data should match. Here are the commands, followed by > how they appear on my machine: > > COMMANDS: > > $ gpg --edit-key 0x4E2C6E8793298290 > gpg> fpr > gpg> q > > > HOW THESE COMMANDS APPEAR ON MY MACHINE: > > $ gpg --edit-key 0x4E2C6E8793298290 > > gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > pub 4096R/93298290 created: 2014-12-15 expires: never usage: C > trust: unknown validity: undefined > sub 4096R/F65C2036 created: 2014-12-15 expires: never usage: S > sub 4096R/D40814E0 created: 2014-12-15 expires: never usage: S > sub 4096R/589839A3 created: 2014-12-15 expires: never usage: S > [ undef ] (1). Tor Browser Developers (signing key) > <torbrow...@torproject.org> > > gpg> fpr > pub 4096R/93298290 2014-12-15 Tor Browser Developers (signing key) > <torbrow...@torproject.org> > Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 > 8290 > > gpg> q > > > 2)F)b) Check the fingerprint of the signing key with an online Public > Key Server. After changing identities in TorBrowser, surf to the key > server of your choice. An HTTPS connection is ideal here to prevent > any malicious interference. > > https://pgp.mit.edu > https://keys.gnupg.net > https://keys.mozilla.org > > Once at the Public Key Server's page, select the check box "Show PGP > fingerprints for keys." Go back to terminal, to the output of "gpg> > fpr", and copy the eight digit key number or email address for the key > whose fingerprint you want check online. As above: > > gpg> fpr > pub 4096R/93298290 2014-12-15 Tor Browser Developers (signing key) > <torbrow...@torproject.org> > > Paste the eight digit key number or email address into the Public Key > Server's search box, and do the search. If multiple keys show up, the > one key you're looking for should have the full and correct 40 digit > fingerprint listed with it. Just do a "ctrl-F" search for the full > fingerprint within the page of search results. > > Now you reasonably have secondary or tertiary confirmation of the > validity of your copy of TorProject's signing key. Feel free to > re-check at any time. > > > 2)F)c) Optional. Check online the fingerprints of the gpg keys of > the individuals and organizations which have signed TorProject's > signing key. This step combines together a few of the previous steps. > For ease, you may want to open a text editor to keep a list handy of > the fingerprints you've verified; there's a lot of switching back and > forth. > > 2)F)c)1) Go back to steps 2)C) and 2)D) and get the second list of keys. > > 63FEE659 4B7C3223 93298290 1B678A63 95C877E5 > > 2)F)c)2) Next, check in gpg the fingerprint of one of the keys. In > this example I've chosen at random the first key on the list, key > 63FEE659 from Erinn Clark. Call up in gpg the fingerprint using the > commands in 2)F)a). > > $ gpg --edit-key 63FEE659 > gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > pub 2048R/63FEE659 created: 2003-10-16 expires: never usage: SC > trust: unknown validity: full > sub 2048R/EB399FD7 created: 2003-10-16 expires: never usage: E > [ full ] (1). Erinn Clark <er...@torproject.org> > [ full ] (2) Erinn Clark <er...@debian.org> > [ revoked] (3) Erinn Clark <eri...@bellsouth.net> > [ full ] (4) Erinn Clark <er...@double-helix.org> > > gpg> fpr > pub 2048R/63FEE659 2003-10-16 Erinn Clark <er...@torproject.org> > Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE > E659 > > gpg> q > > > 2)F)c)3) Copy (ctrl-c) the full 40 digit fingerprint from your gpg > results. Next, go to TorProject's page "Which PGP keys sign which > packages" [2] and search for the same 40 digit fingerprint, in this > example of key 63FEE659 from Erinn Clark. The fingerprints and > related data between gpg and Torproject should match. If ctrl-c > doesn't work for you, a visual check works too. > > pub 2048R/63FEE659 2003-10-16 > Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 > 63FE E659 > uid Erinn Clark <er...@torproject.org> > uid Erinn Clark <er...@debian.org> > uid Erinn Clark <er...@double-helix.org> > sub 2048R/EB399FD7 2003-10-16 > > > 2)F)c)4) From here, it's faster to check all of the fingerprints of > the keys from step 2)F)c)1) in gpg and at TorProject, as outlined in > the above two steps, than it is to double and triple check with online > Public Key Servers in serial. > > > 2)F)c)5) Repeat as desired the above steps 2)F)c)2) and 2)F)c)3) to > check the fingerprints in gpg against online Public Key Servers of > your choice, as listed in step 2)F)b). Remember to use an HTTPS > connection and switch identities between websites. > > > 2)G) Verify that in GPG the detached signatures (.asc) on the > sha256sums.txt and [TBB].tar.xz files are good. Remember to verify > only files which have already passed the sha256sum verification. > There's been a lot of really good advice on this part of the process > recently, so I'll just show the commands here. > > 2)G)a) The sha256sums file. > > $ gpg --verify sha256sums.txt.asc sha256sums.txt > gpg: Signature made Wed 25 Feb 2015 07:55:34 AM GMT using RSA key ID > F65C2036 > gpg: Good signature from "Tor Browser Developers (signing key) > <torbrow...@torproject.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 > 8290 > Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C > 2036 > > > 2)G)b) The TorBrowserBundle file. > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > tor-browser-linux32-4.0.4_en-US.tar.xz > gpg: Signature made Wed 25 Feb 2015 07:54:55 AM GMT using RSA key ID > F65C2036 > gpg: Good signature from "Tor Browser Developers (signing key) > <torbrow...@torproject.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 > 8290 > Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C > 2036 > > > 3) Securely delete the extra files [4]. All done. > > cheers, > gz > > > [1] https://blog.torproject.org/blog/tor-browser-404-released > [2] https://www.torproject.org/docs/signing-keys.html.en > [3] https://www.torproject.org/docs/verifying-signatures.html.en > [4] https://en.wikipedia.org/wiki/List_of_data-erasing_software > [5] https://dist.torproject.org/torbrowser/ > > > ----------------------------
Ok....I think that makes it very clear. Excellent work and thanks for your time. --------------------- > > VFEmail.net - http://www.vfemail.net > ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of > the NSA's hands! > $24.95 ONETIME Lifetime accounts with Privacy Features! > 15GB disk! No bandwidth quotas! > Commercial and Bulk Mail Options! > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- http://www.fastmail.com - Send your email first class -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
