TL;DR - Gpg4win is unusable for the average internet user ====================================================================== Okay, I had a hard drive die on me a couple of weeks ago and I just reinstalled Windows and all the drivers on it last night. This morning when I was installing software, I thought I'd install gpg4win before Tor Browser Bundle and see if I could verify the signature since I've heard complaints that nobody ever does it.
And this is what happened: https://twitter.com/voodooKobra/status/388611802923139072/photo/1 @r00tcore was kind enough to point out that there is documentation that basically says "Yes it's OK." Confusing. So I try it with GPA instead, following the instructions on the attached documentation. This is what I get: https://twitter.com/voodooKobra/status/388683362233102336/photo/1 There was no hand-waving in the documentation for this error. So this leads me to believe one of two things: 1) I've somehow found myself at the top of a nation state actor's hit list and am actively being targeted by all sorts of attacks (MITM, rogue certificate, etc.). Or the more likely... 2) I'm doing something terribly wrong, and there is no way for me to figure out what exactly that is. I'm relatively sure that I have more patience than an average internet user (the Facebook addict variant, anyway), and I'm about fed up with it. It's easier to do gpg from the command line on Linux than to do it from a GUI on Windows. Here are the problems I faced when I attempted to perform this simple task: "Verify the signature on the Tor Browser Bundle." 1. Where is the public key used to verify the signature? I couldn't click and find this, I had to actually search on Google. I saw a @matthew_d_green tweet the other day that said something akin to, "Every click of the mouse loses half of your users," when talking about default settings. The Tor project links to the signature for each package on the downloads page, but any reference to their public key is hidden from the public's eye. 2. Kleopatra (the program that pops up when you right click > More GpgEX options > Verify) was perfectly happy to announce that there was no GPG data in the .exe when I attempted to verify it directly. While this might be silly to hackers, users will do this! Adding language that says "Please make sure you select the signature file, not the message or executable," will help move things along. Making a system that intelligently goes, "Oh, you probably meant file.exe.asc not file.exe, since they're both in the same folder," even if it asks the user to verify the correction instead of blindly switching it out, would also be a huge boon for usability. 3. Kleopatra scared me into believing that the signature was invalid, then documentation told me it was OK. Then GPA told me the signature was bad. Now I don't know what to believe or what to do next. I've fallen straight through the cracks. In closing, if the Tor website was designed to make signature verification easier, it was much easier to verify packages on Windows from Explorer, and Kleopatra and GPA used language to help users better troubleshoot issues, I think asking the average user to verify their packages would be a much less daunting task. Since this is long, I'm sticking the TL;DR in the beginning.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.