Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

restructure verification page (#3893, #17413) #31

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@traumschule
Copy link
Contributor

commented Aug 26, 2018

http://ea5faa5po25cf7fb.onion/projects/tor/ticket/3893

  • Current plan is to collapse the page with a css-only accordion and split it in basic steps
  1. introduction
  2. install gpg
  3. download signing key
  4. verify gpg signature
  5. verify checksums
  • Each section will have OS specific instructions. When all sections are collapsed at the beginning and users only open what they are interested in, my hope is the page will be much less confusing.

  • According to browser support for CSS3 properties the used transition feature is not supported by browsers older than: IE 10, FF 16, Chrome 26, Safari 6.1 and Opera 12.1

@traumschule traumschule force-pushed the traumschule:verification branch from a2ab6fb to b77b1d9 Aug 26, 2018


<p>The next step is to use GnuPG to import the key that signed
your package. The Tor Browser team signs Tor Browser releases. Import its
key (0x4E2C6E8793298290) by starting the terminal under "Applications"

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 28, 2018

Member

Terminal.app is in Applications/Utilities on macOS

<h3>Import OpenPGP key on Linux</h3>
<p>
You need to have GnuPG installed before you can verify
signatures. It's probably GnuPG is alreadyy installed on your

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 28, 2018

Member

Typo: alreadyy

Key fingerprint = A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
sub rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
Key fingerprint = 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2
gpg: assuming signed data in 'tor-browser-osx64-<version-torbrowserbundleosx64>_en-US.tar.xz'

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 28, 2018

Member

This is the Linux file name

This comment has been minimized.

Copy link
@traumschule

traumschule Aug 29, 2018

Author Contributor

thanks for catching this!

@@ -210,113 +391,250 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
exchange key fingerprints.

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 28, 2018

Member

For most of our users, international travel is really not the best method. We need to provide a better explanation here.

This comment has been minimized.

Copy link
@traumschule

traumschule Aug 29, 2018

Author Contributor

Good point, changing to "As international travel to meet the developer might be
unfeasable you are left with trusting other people who signed this key."

</label>
<article>
<p>
Note: This process does not work on OS X yet due to Apple's codesigning requirement.

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 28, 2018

Member

Please consistently use "macOS" throughout the document

<input id="ac-4-1" name="accordion-4" type="radio" checked />
<article class="ac-os">
<!--<pre id="ttb-key">
> gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 28, 2018

Member

These instructions duplicate earlier instructions, but they're also slightly different. Is there a better way?

This comment has been minimized.

Copy link
@traumschule

traumschule Aug 29, 2018

Author Contributor

This is commented because I assume at this point it is ok, to tell users reproduce above step to import the key by just telling the key id. I see no better option at the moment.

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 30, 2018

Member

You should feel free to delete obsolete instructions.
We can always get them back out of git.

@teor2345
Copy link
Member

left a comment

Hi, just a few minor changes left.

I feel like this document is way too wordy, but that might be ok as a reference for advanced users.

Show resolved Hide resolved docs/en/verifying-signatures.wml
to the developer. The best method is to meet the developer in person and
exchange key fingerprints.
to the developer. As international travel to meet the developer might be
unfeasable you are left with trusting other people who signed this key.

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 30, 2018

Member

This explanation raises security concerns, but it doesn't tell people what they should do.

If you can't give people a useful action to take to improve their security, please just tell them to ignore the warning.

One useful action might be: "use another device or another internet connection to check the key fingerprints listed on the tor website at ..."

@@ -507,7 +516,7 @@ Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
<!-- Mac OS --><!--
<div>
<article class="ac-os">
This process does not work on OS X yet due to Apple's codesigning requirement.
This process does not work on macOS yet due to Apple's codesigning requirement.

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 30, 2018

Member

Please consistently use "OS X", "macOS", or "Mac OS X" throughout the document.

You could choose "macOS", because that's what Apple calls it now. Or you could match the Tor download page.

<input id="ac-4-1" name="accordion-4" type="radio" checked />
<article class="ac-os">
<!--<pre id="ttb-key">
> gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 30, 2018

Member

You should feel free to delete obsolete instructions.
We can always get them back out of git.

<div>
<input id="ac-4-3" name="accordion-4" type="radio" />
<article class="ac-os ac-4-3">
<!--<pre id="ttb-key">

This comment has been minimized.

Copy link
@teor2345

teor2345 Aug 30, 2018

Member

You should feel free to delete obsolete instructions.
We can always get them back out of git.

@traumschule traumschule changed the title WIP: verification (#3893) restructure verification page (#3893, #17413) Aug 30, 2018

@hiromipaw

This comment has been minimized.

Copy link
Member

commented Sep 4, 2018

Hey, could you just resolve conflicts before I merge this?

@traumschule traumschule force-pushed the traumschule:verification branch from 229ac12 to ec59f0b Sep 5, 2018

@traumschule

This comment has been minimized.

Copy link
Contributor Author

commented Sep 5, 2018

rebased.

@teor2345 sorry, lost your comments through push -f. Something above is still unresolved.

I feel like this document is way too wordy, but that might be ok as a reference for advanced users.

Maybe that's ok because we (hopefully) soon have are shorter version in the tb-manual:
http://ea5faa5po25cf7fb.onion/projects/tor/ticket/9843

@traumschule traumschule force-pushed the traumschule:verification branch 2 times, most recently from eb87916 to 3ed3936 Sep 5, 2018

@traumschule traumschule referenced this pull request Sep 10, 2018

Open

merge download pages into one (#14686) #12

1 of 1 task complete

@traumschule traumschule force-pushed the traumschule:verification branch from 3ed3936 to 57d6d3e Oct 12, 2018

@traumschule

This comment has been minimized.

Copy link
Contributor Author

commented Oct 12, 2018

squashed commits to docs/en/verification.wml into one and removed unrelated changes to make reviewing easier.

@traumschule traumschule force-pushed the traumschule:verification branch from 57d6d3e to 411fa77 Oct 12, 2018

add css accordion to verification page (#3893)
- add TOC
- only show instructions for selected OS
- improve usability of MacOS installation process (#17413)
- Add instructions how to verify signatures on Android (#27514)

@traumschule traumschule force-pushed the traumschule:verification branch from 411fa77 to 180b8f1 Oct 24, 2018

@traumschule

This comment has been minimized.

Copy link
Contributor Author

commented Oct 24, 2018

updated css.
@teor2345 are you still requesting changes here?

The review is outdated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.