Silk Road forums

Discussion => Security => Topic started by: neo67 on August 10, 2013, 06:37 pm

Title: Does anyone verify signatures for downloaded packages?
Post by: neo67 on August 10, 2013, 06:37 pm

Ok guys ive downloaded the new update. Then i saw a link which says 'How to verify signatures for packages', is this really needed, verifying sigs for the package i downloaded?

I am trying to figure it out using  windows command line and failing like a complete noob!lol

Does anyone actually verify the packages they download, is it really necessary?


Thanks.
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: Yoda on August 10, 2013, 08:17 pm
I verify.

You don't have to, but it's nice to know that your DL isn't tainted by government or something.  i.e. it is the file Torproject claims it to be.

You first need to find and put the Torproject signing key on your keyring... then you would need to sign it (could be as simple as right clicking the key and selecting sign... or do your command line).

Download TBB and the signature file to the same folder.  Once finished, depending on your gpg program...  you'd select the newly downloaded TBB and command your gpg to verify it using the sig file next to it.  Like if you're using gpg4win/Kleopatra; all you'd have to do is right click on the TBB DL and select verify.   Command line... you'll have to figure out the specifics there.
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: Christy Nugs on August 11, 2013, 12:33 am
GtkHash
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: Christy Nugs on August 11, 2013, 12:36 am
that was a tongue in cheek windows joke :P
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: neo67 on August 11, 2013, 09:38 am
I verify.

You don't have to, but it's nice to know that your DL isn't tainted by government or something.  i.e. it is the file Torproject claims it to be.

You first need to find and put the Torproject signing key on your keyring... then you would need to sign it (could be as simple as right clicking the key and selecting sign... or do your command line).

Download TBB and the signature file to the same folder.  Once finished, depending on your gpg program...  you'd select the newly downloaded TBB and command your gpg to verify it using the sig file next to it.  Like if you're using gpg4win/Kleopatra; all you'd have to do is right click on the TBB DL and select verify.   Command line... you'll have to figure out the specifics there.

Yoda, can you kindly take me through step by step how to verify signatures for my downloaded package using kleopatra.

I can't find any help options.....:~

Thank you.
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: wednesday adams on August 13, 2013, 05:25 am
I verify.

You don't have to, but it's nice to know that your DL isn't tainted by government or something.  i.e. it is the file Torproject claims it to be.

You first need to find and put the Torproject signing key on your keyring... then you would need to sign it (could be as simple as right clicking the key and selecting sign... or do your command line).

Download TBB and the signature file to the same folder.  Once finished, depending on your gpg program...  you'd select the newly downloaded TBB and command your gpg to verify it using the sig file next to it.  Like if you're using gpg4win/Kleopatra; all you'd have to do is right click on the TBB DL and select verify.   Command line... you'll have to figure out the specifics there.

I have been making myself insane tryingto very the iso image for tails on mac....................iv'e downloaded gpgtools but it doesn't seem to run on my machine, I do use the pgp that comes w/tails but i'm tryingto follow the dirxns on the tails download website which I access in os X, last time I gave up after about 4 hrs and just went ahead w/the dl and install ond live usb, this time I thought Id be more security conscious what w/the recent scares and all and do the iso image verification, but still cant make it work.............................anyone out there have a step by step on this one????????????  wld be eternally grateful
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: Baraka on August 13, 2013, 06:31 am
The obvious clearnet link on Torproject: https://www.torproject.org/docs/verifying-signatures.html.en
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: neo67 on August 13, 2013, 11:15 am
I am too still struggling with verifying signatures for packages.

There must be someone who can help? I've followed the manual from the link above  but i can't get my gpg.exe windows command line to work. I have never used a command line before, i am trying to run cmd.exe on the actual command line(like it says to do in the manaul-- how does that work? do i just type it in and press enter---I've tried that so far but to no success.

Please help someone. :)
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: neo67 on August 13, 2013, 02:03 pm
Managed to run cmd.exe eventiually lol but i keep getting an error messgae saying it cant open/verify the signature as follows ;

C:\Users\Alice\Desktop\tor-browser-2.3.25-12_en-US.exe.asc C:\Users\Alice\Desktop\tor-browser-2.3.25-12_en-US.exe

any ideas anyone?
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: Baraka on August 15, 2013, 06:46 am
In the directory of the files within a DOS window:

gpg --verify tor-browser-whatever.asc tor-browser-whatever.exe

As long as you have the proper key installed (fingerprint 0x416F061063FEE659) then it should be verified as correct. Otherwise you may have downloaded a DEA rootkit  :o
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: neo67 on August 15, 2013, 03:05 pm
In the directory of the files within a DOS window:

gpg --verify tor-browser-whatever.asc tor-browser-whatever.exe

As long as you have the proper key installed (fingerprint 0x416F061063FEE659) then it should be verified as correct. Otherwise you may have downloaded a DEA rootkit  :o

ermm...how likely is that though bro? downloading a DEA rootkit i mean instead of the genuine package?

It wouldn't let me verify it for some reason or another so i just went ahead and opened the package after i  downloaded it, i hope its not a DEA rootkit!!! what the hell is that anyway?Can they intercept messages that way? i always encrypt my messages with sensitive info anyway, could they somehow decrypt messages with a rootkit?

 I triple checked the URL where i downloaded it from--thats the only 'check' i ve done

Please respond.

Thanks.
Title: Re: Does anyone verify signatures for downloaded packages?
Post by: Baraka on August 17, 2013, 08:34 am
Don't worry about what I said. It's highly unlikely.

Just use the command gpg --verify with the name of the asc file followed by the name of the exe file. If you have the proper GPG key installed then it should verify no problem.