What Tor Browser taught me about signature verification

What I wanted was to download Tor Browser into macOS, along the way, I found what it means to verify a signature/ fingerprint of the downloaded application. And I should never trust anything I downloaded…

So first I headed to https://www.torproject.org/projects/torbrowser.html.en and click on download tor browser.

I had to select my operating system, macOS, english. At this point if you hover over the links, you will notice 2 files –  .dmg and .asc links.

  1. Click and download the .dmg file (but DO NOT open it yet)
  2. Download also the .asc file
  3. To make sure you have never downloaded Tor before. You can cd ~/Library/Application\ Support/ Tor-Browser DataIf Tor-Browser Data exist, remove and trash it. (reference from https://www.reddit.com/r/TOR/comments/7gguoy/tor_will_not_run_on_my_mac/)
  4. Next for mac users, you will need to install GPG Suite https://gpgtools.org/. This allows you to verify that the package that you’ve downloaded has the same digital signature as the developers who have signed the package
  5. Interestingly if you are thinking of verifying your tor browser, you might probably also wish to verify the gpg tools suite installer is authentic :D, you can read this https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
  6. Once your GPG is setup, go to the directory where you downloaded both the .dmg and .asc file and run gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290to use GnuPG to import the key that signed the package
  7. Next, according to https://www.torproject.org/docs/verifying-signatures.html.en, after importing  the key above, run gpg --fingerprint 0x4E2C6E8793298290
  8. To verify the signature of the package downloaded, run gpg --verify TorBrowser-8.0.6-osx64_en-US.dmg{.asc*,}
  9. The output should say ‘good signature’ https://www.torproject.org/docs/verifying-signatures.html.en

.

.

That’s it. Some questions I have are,

Do all developers sign their packages and upload their public key to key server?

What is the difference between an undefined or unknown

***The fingerprints and signatures are dated when I downloaded Mar 3 2019. They may change as the packages are updated***

Setting up website from scratch

Setting up a wordpress site on your own server. Follow the instructions. 😀

  1. purchase a domain (namecheap)
  2. Generate your ssh keys for later when you are required to add your public key in digital ocean and to ssh into your server. https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54
    • cd to your ssh folder  ~/.sshto generate the keys directly there
  3. setup a server (digital ocean)
    • Create a droplet – Ubuntu 18.04.2, Standard, cheapest@$5/month
    • Add a domain (which you’ve purchased) enter example.com and create a new type `A` record. This will generate name servers which you can then add back in namecheap.com
  4. in Namecheap.com, navigate to the domain above and select manage
    • Under nameservers tab, select CustomDNS and add all the `NS` value generated by digital ocean
  5. You need to update your nameservers with your domain registrar for the records below to take effect.
  6. set your nameservers to point to your custom dns (digital ocean)
  7. Now ssh into your server! ssh root@example.comor ssh -i ~/.ssh/nameoffile root@example.com
  8. In your server follow the instructions for mariadb and php. https://websiteforstudents.com/install-wordpress-on-ubuntu-18-04-lts-bata-with-nginx-mariadb-and-php-fpm/
  9. a note with chown -R www-data:www-data /var/www/html sets permissions for the default web root, so the files are owned by the user account used by your web server. WordPress will ask for these FTP credentials if it detects that it does not have permission to write the needed files itself.
  10. Emphasing password for root user on login https://serverfault.com/questions/795290/admin-password-of-mariadb-doesnt-seem-to-work
  11. https://www.nginx.com/blog/installing-wordpress-with-nginx-unit/
  12. unlink /etc/nginx/sites-enabled/default
  13. At this point nginx conf is not yet complete, so let’s head to letsencrypt https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04

.

.

.

.

.

Took me 2 years to understand what I’m doing, but I could still be wrong. Hah.