What Tor Browser taught me about signature verification

What I wanted was to download Tor Browser into macOS, along the way, I found what it means to verify a signature/ fingerprint of the downloaded application. And I should never trust anything I downloaded…

So first I headed to https://www.torproject.org/projects/torbrowser.html.en and click on download tor browser.

I had to select my operating system, macOS, english. At this point if you hover over the links, you will notice 2 files –  .dmg and .asc links.

  1. Click and download the .dmg file (but DO NOT open it yet)
  2. Download also the .asc file
  3. To make sure you have never downloaded Tor before. You can cd ~/Library/Application\ Support/ Tor-Browser DataIf Tor-Browser Data exist, remove and trash it. (reference from https://www.reddit.com/r/TOR/comments/7gguoy/tor_will_not_run_on_my_mac/)
  4. Next for mac users, you will need to install GPG Suite https://gpgtools.org/. This allows you to verify that the package that you’ve downloaded has the same digital signature as the developers who have signed the package
  5. Interestingly if you are thinking of verifying your tor browser, you might probably also wish to verify the gpg tools suite installer is authentic :D, you can read this https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
  6. Once your GPG is setup, go to the directory where you downloaded both the .dmg and .asc file and run gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290to use GnuPG to import the key that signed the package
  7. Next, according to https://www.torproject.org/docs/verifying-signatures.html.en, after importing  the key above, run gpg --fingerprint 0x4E2C6E8793298290
  8. To verify the signature of the package downloaded, run gpg --verify TorBrowser-8.0.6-osx64_en-US.dmg{.asc*,}
  9. The output should say ‘good signature’ https://www.torproject.org/docs/verifying-signatures.html.en

.

.

That’s it. Some questions I have are,

Do all developers sign their packages and upload their public key to key server?

What is the difference between an undefined or unknown

***The fingerprints and signatures are dated when I downloaded Mar 3 2019. They may change as the packages are updated***

Leave a comment

Your email address will not be published. Required fields are marked *