What I wanted was to download Tor Browser into macOS, along the way, I found what it means to verify a signature/ fingerprint of the downloaded application. And I should never trust anything I downloaded…
So first I headed to https://www.torproject.org/projects/torbrowser.html.en and click on download tor browser.
I had to select my operating system, macOS,
- Click and download the .dmg file (but DO NOT open it yet)
- Download also the .asc file
- To make sure you have never downloaded Tor before. You can
cd ~/Library/Application\ Support/ Tor-Browser Data
If Tor-Browser Data exist, remove and trash it. (reference from https://www.reddit.com/r/TOR/comments/7gguoy/tor_will_not_run_on_my_mac/) Next formac users, you will need to install GPG Suite https://gpgtools.org/. This allows you to verify that the package that you’ve downloaded has the same digital signature as the developers who have signed the package- Interestingly if you are thinking of verifying your tor browser, you might probably also wish to verify the
gpg tools suite installer is authentic :D, you can read this https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/ - Once your GPG is
setup , go to the directory where you downloaded both the .dmg and .asc file and rungpg --keyserver
pool.sks-keyservers.net
--recv-keys 0x4E2C6E8793298290
to use GnuPG to import the key that signed the package - Next,
according to https://www.torproject.org/docs/verifying-signatures.html.en, after importing the key above, rungpg --fingerprint 0x4E2C6E8793298290
- To verify the signature of the package downloaded, run
gpg --verify TorBrowser-8.0.6-osx64_en-US.dmg{.asc*,}
- The output should say ‘good signature’ https://www.torproject.org/docs/verifying-signatures.html.en
.
.
That’s it. Some questions I have are,
Do all developers sign their packages and upload their public key to key server?
What is the difference between an undefined or unknown
***The fingerprints and signatures are dated when I downloaded Mar 3 2019. They may change as the packages are updated***