diff --git a/content/tbb/how-to-verify-signature/contents.lr b/content/tbb/how-to-verify-signature/contents.lr index 3d69af422f3d18987418ba8be1df963d0d2f5dfe..607e19cda4f522877a9b948ab37eceb9df31f86a 100644 --- a/content/tbb/how-to-verify-signature/contents.lr +++ b/content/tbb/how-to-verify-signature/contents.lr @@ -5,13 +5,13 @@ title: How can I verify Tor Browser's signature? seo_slug: how-to-verify-signature --- description: + Digital signature is a process ensuring that a certain package was generated by its developers and has not been tampered with. Below we explain why it is important and how to verify that the Tor program you download is the one we have created and has not been modified by some attacker. Each file on our [download page](https://www.torproject.org/download/) is accompanied by a file with the same name as the package and the extension ".asc". These .asc files are GPG signatures. They allow you to verify the file you've downloaded is exactly the one that we intended you to get. For example, torbrowser-install-8.0.8_en-US.exe is accompanied by torbrowser-install-8.0.8_en-US.exe.asc. -For a list of which developer signs which package, see our [signing keys page](https://www.torproject.org/docs/signing-keys.html.en). We now show how you can verify the downloaded file's digital signature on different operating systems. Please notice that a signature is dated the moment the package has been signed. @@ -29,7 +29,7 @@ In order to verify the signature you will need to type a few commands in windows The Tor Browser team signs Tor Browser releases. Import its key (0x4E2C6E8793298290) by starting cmd.exe and typing: - gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 + gpg.exe --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org After importing the key, you can verify that the fingerprint is correct: @@ -80,7 +80,7 @@ The next step is to use GnuPG to import the key that signed your package. The Tor Browser team signs Tor Browser releases. Import its key (0x4E2C6E8793298290) by starting the terminal (under "Applications" in macOS) and typing: - gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 + gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org After importing the key, you can verify that the fingerprint is correct: