#31296: simplify OpenPGP signature verification instructions
--------------------------------------+--------------------
Reporter: dkg | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+--------------------
The OpenPGP signature verification instructions at
https://support.torproject.org/tbb/how-to-verify-signature/ are more
complicated than they need to be, and more repetitive. They also are
confusing!
I'll attach a revised version of the `contents.lr` file, but you can also
see the changes with more clarity as a series of individual git commits on
the `pgp-verification` branch of tor's `support` repo at
https://0xacab.org/dkg/tor-support.
the main changes are:
* group GnuPG installation instructions in one place
* export the tor developer OpenPGP certificate as a "keyring"
* use `gpgv` for verification, not raw `gpg`
* remove accidentally misleading statements about "assigning a trust
index" and "exchanging fingerprints"
* use fingerprints and not keyids
* bake fingerprint verification into the workflow, rather than asking
humans to compare them manually.
If you disagree with any of these changes
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
