Part of Slepp's ProjectsPastebinTURLImagebinFilebin
Feedback -- English French German Japanese
Create Upload Newest Tools Donate


Tuesday, May 26th, 2009 at 11:38:29am UTC 

  1. How to verify signatures for packages
  2. Each file on our download page is accompanied by a file with the same name as the package and the extension ".asc". For example, the current Installation Bundle for Windows: dist/vidalia-bundles/vidalia-bundle-
  4. These .asc files are PGP signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get.
  6. Of course, you'll need to have our pgp keys in your keyring: if you don't know the pgp key, you can't be sure that it was really us who signed it. The signing keys we use are:
  8. Roger's (0x28988BF5) typically signs the source code file.
  9. Nick's (0x165733EA, or its subkey 0x8D29319A)
  10. Andrew's (0x31B0974B)
  11. Peter's (0x94C09C7F, or its subkey 0xAFA44BDD)
  12. Matt's (0x5FA14861)
  13. Jacob's (0x9D0FACE4)
  14. Step One: Import the keys
  15. You can import keys directly from GnuPG as well:
  17. gpg --keyserver --recv-keys 0x28988BF5
  18. or search for keys with
  20. gpg --keyserver --search-keys 0x28988BF5
  21. and when you select one, it will be added to your keyring.
  23. Step Two: Verify the fingerprints
  24. Verify the pgp fingerprints using:
  26. gpg --fingerprint (insert keyid here)
  27. The fingerprints for the keys should be:
  28. pub   1024D/28988BF5 2000-02-27
  29.       Key fingerprint = B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
  30. uid                  Roger Dingledine <[email protected]>
  32. pub   3072R/165733EA 2004-07-03
  33.       Key fingerprint = B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA
  34. uid                  Nick Mathewson <[email protected]>
  35. uid                  Nick Mathewson <[email protected]>
  36. uid                  Nick Mathewson <[email protected]>
  38. pub  1024D/31B0974B 2003-07-17
  39.      Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974B
  40. uid                  Andrew Lewman (phobos) <[email protected]>
  41. uid                  Andrew Lewman <[email protected]>
  42. uid                  Andrew Lewman <[email protected]>
  43. sub   4096g/B77F95F7 2003-07-17
  45. pub   1024D/94C09C7F 1999-11-10
  46.       Key fingerprint = 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F
  47. uid                  Peter Palfrader
  48. uid                  Peter Palfrader <[email protected]>
  49. uid                  Peter Palfrader <[email protected]>
  51. pub   1024D/5FA14861 2005-08-17
  52.       Key fingerprint = 9467 294A 9985 3C9C 65CB  141D AF7E 0E43 5FA1 4861
  53. uid                  Matt Edman <[email protected]>
  54. uid                  Matt Edman <[email protected]>
  55. uid                  Matt Edman <[email protected]>
  56. sub   4096g/EA654E59 2005-08-17
  58. pub   1024D/9D0FACE4 2008-03-11 [expires: 2010-03-11]
  59.       Key fingerprint = 12E4 04FF D3C9 31F9 3405  2D06 B884 1A91 9D0F ACE4
  60. uid                  Jacob Appelbaum <[email protected]>
  61. sub   4096g/D5E87583 2008-03-11 [expires: 2010-03-11]
  62. (Of course if you want to be really certain that those are the real ones then you should check this from more places or even better get into key signing and build a trust path to those keys.)
  64. Step Three: Verify the downloaded package
  65. If you're using GnuPG, then put the .asc and the download in the same directory and type "gpg --verify (whatever).asc (whatever)". It will say something like "Good signature" or "BAD signature" using the following type of command:
  67. gpg --verify tor- tor-
  68. gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5
  69. gpg: Good signature from "Roger Dingledine <[email protected]>"
  70. gpg:                 aka "Roger Dingledine <[email protected]>"
  71. gpg: WARNING: This key is not certified with a trusted signature!
  72. gpg:          There is no indication that the signature belongs to the owner.
  73. Primary key fingerprint: B117 2656 DFF9 83C3 042B  C699 EB5A 896A 2898 8BF5
  74. Notice that there is a warning because you haven't assigned a trust index to this user. This means that your program verified the key made that signature. It's up to the user to decide if that key really belongs to the developers. The best method is to meet them in person and exchange gpg fingerprints. Keys can also be signed. If you look up Roger or Nick's keys, other people have essentially said "we have verified this is Roger/Nick". So if you trust that third party, then you have a level of trust for that arma/nick.
  76. All this means is you can ignore the message or assign a trust level.
  78. For your reference, this is an example of a BAD verification. It means that the signature and file contents do not match:
  80. gpg --verify tor-
  81. gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 28988BF5
  82. gpg: BAD signature from "Roger Dingledine <[email protected]>"
  83. If you see a message like the above one, then you should not trust the file contents.


Update the Post

Either update this post and resubmit it with changes, or make a new post.

You may also comment on this post.

update paste below
details of the post (optional)

Note: Only the paste content is required, though the following information can be useful to others.

Save name / title?

(space separated, optional)

Please note that information posted here will not expire by default. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.

comments powered by Disqus