Silk Road forums
Discussion => Security => Topic started by: neo67 on August 10, 2013, 06:37 pm
-
Ok guys ive downloaded the new update. Then i saw a link which says 'How to verify signatures for packages', is this really needed, verifying sigs for the package i downloaded?
I am trying to figure it out using windows command line and failing like a complete noob!lol
Does anyone actually verify the packages they download, is it really necessary?
Thanks.
-
I verify.
You don't have to, but it's nice to know that your DL isn't tainted by government or something. i.e. it is the file Torproject claims it to be.
You first need to find and put the Torproject signing key on your keyring... then you would need to sign it (could be as simple as right clicking the key and selecting sign... or do your command line).
Download TBB and the signature file to the same folder. Once finished, depending on your gpg program... you'd select the newly downloaded TBB and command your gpg to verify it using the sig file next to it. Like if you're using gpg4win/Kleopatra; all you'd have to do is right click on the TBB DL and select verify. Command line... you'll have to figure out the specifics there.
-
GtkHash
-
that was a tongue in cheek windows joke :P
-
I verify.
You don't have to, but it's nice to know that your DL isn't tainted by government or something. i.e. it is the file Torproject claims it to be.
You first need to find and put the Torproject signing key on your keyring... then you would need to sign it (could be as simple as right clicking the key and selecting sign... or do your command line).
Download TBB and the signature file to the same folder. Once finished, depending on your gpg program... you'd select the newly downloaded TBB and command your gpg to verify it using the sig file next to it. Like if you're using gpg4win/Kleopatra; all you'd have to do is right click on the TBB DL and select verify. Command line... you'll have to figure out the specifics there.
Yoda, can you kindly take me through step by step how to verify signatures for my downloaded package using kleopatra.
I can't find any help options.....:~
Thank you.
-
I verify.
You don't have to, but it's nice to know that your DL isn't tainted by government or something. i.e. it is the file Torproject claims it to be.
You first need to find and put the Torproject signing key on your keyring... then you would need to sign it (could be as simple as right clicking the key and selecting sign... or do your command line).
Download TBB and the signature file to the same folder. Once finished, depending on your gpg program... you'd select the newly downloaded TBB and command your gpg to verify it using the sig file next to it. Like if you're using gpg4win/Kleopatra; all you'd have to do is right click on the TBB DL and select verify. Command line... you'll have to figure out the specifics there.
I have been making myself insane tryingto very the iso image for tails on mac....................iv'e downloaded gpgtools but it doesn't seem to run on my machine, I do use the pgp that comes w/tails but i'm tryingto follow the dirxns on the tails download website which I access in os X, last time I gave up after about 4 hrs and just went ahead w/the dl and install ond live usb, this time I thought Id be more security conscious what w/the recent scares and all and do the iso image verification, but still cant make it work.............................anyone out there have a step by step on this one???????????? wld be eternally grateful
-
The obvious clearnet link on Torproject: https://www.torproject.org/docs/verifying-signatures.html.en
-
I am too still struggling with verifying signatures for packages.
There must be someone who can help? I've followed the manual from the link above but i can't get my gpg.exe windows command line to work. I have never used a command line before, i am trying to run cmd.exe on the actual command line(like it says to do in the manaul-- how does that work? do i just type it in and press enter---I've tried that so far but to no success.
Please help someone. :)
-
Managed to run cmd.exe eventiually lol but i keep getting an error messgae saying it cant open/verify the signature as follows ;
C:\Users\Alice\Desktop\tor-browser-2.3.25-12_en-US.exe.asc C:\Users\Alice\Desktop\tor-browser-2.3.25-12_en-US.exe
any ideas anyone?
-
In the directory of the files within a DOS window:
gpg --verify tor-browser-whatever.asc tor-browser-whatever.exe
As long as you have the proper key installed (fingerprint 0x416F061063FEE659) then it should be verified as correct. Otherwise you may have downloaded a DEA rootkit :o
-
In the directory of the files within a DOS window:
gpg --verify tor-browser-whatever.asc tor-browser-whatever.exe
As long as you have the proper key installed (fingerprint 0x416F061063FEE659) then it should be verified as correct. Otherwise you may have downloaded a DEA rootkit :o
ermm...how likely is that though bro? downloading a DEA rootkit i mean instead of the genuine package?
It wouldn't let me verify it for some reason or another so i just went ahead and opened the package after i downloaded it, i hope its not a DEA rootkit!!! what the hell is that anyway?Can they intercept messages that way? i always encrypt my messages with sensitive info anyway, could they somehow decrypt messages with a rootkit?
I triple checked the URL where i downloaded it from--thats the only 'check' i ve done
Please respond.
Thanks.
-
Don't worry about what I said. It's highly unlikely.
Just use the command gpg --verify with the name of the asc file followed by the name of the exe file. If you have the proper GPG key installed then it should verify no problem.