#31296: simplify OpenPGP signature verification instructions --------------------------------------+-------------------- Reporter: dkg | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Component: - Select a component | Version: Severity: Normal | Keywords: Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | --------------------------------------+-------------------- The OpenPGP signature verification instructions at https://support.torproject.org/tbb/how-to-verify-signature/ are more complicated than they need to be, and more repetitive. They also are confusing!
I'll attach a revised version of the `contents.lr` file, but you can also see the changes with more clarity as a series of individual git commits on the `pgp-verification` branch of tor's `support` repo at https://0xacab.org/dkg/tor-support. the main changes are: * group GnuPG installation instructions in one place * export the tor developer OpenPGP certificate as a "keyring" * use `gpgv` for verification, not raw `gpg` * remove accidentally misleading statements about "assigning a trust index" and "exchanging fingerprints" * use fingerprints and not keyids * bake fingerprint verification into the workflow, rather than asking humans to compare them manually. If you disagree with any of these changes -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31296> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs