Skip to content

Check signatures

Checking of signature(s) with a GUI under Windows.

Beside the other ways described by the Tor project or others.

Used Software:
GnuPT (contains GPG and WinPT)
(portable version available)

It is assumed that the software is already operational.

To check a signature, the public key of the signer has to be attached to the keyring. The GUI itself detects if that’s not the case and asks if you want to import the public key from an keyserver.

This tutorial describes the import of key 0x63FEE659 of Erinn Clark and checking the signature for the TorBrowserBundle for Windows.

Step 1: Source of the public key

To download the public key of Erinn Clark from any keyserver one has to know it’s key-id or the email-address of the signer.

The key-id of Erinn Clark is 0x63fee659. This can be check at
https://www.torproject.org/docs/signing-keys.html.en

In other cases one knows the email-address of the signer or the signer itself provides the public key.

Step 2: Import of the key

– Launch WinPT.exe
– Click on the Trayicon of it and select “Key Management”
– Click on “keyserver” and enter the key-id
– Click on “receive”

A dialog should tell you that the key has been imported successfully.

Step 3: Checking the fingerprint

If the signer provides you the fingerprint of it’s key it can be checked as follows:

– In “Key Management” you can double click the imported key
– Compare the displayed fingerprint with the provided one

The fingerprint of Erinn Clark’s key can be found at
https://www.torproject.org/docs/signing-keys.html.en

In this case it’s even possible to check other characteristics. For instance when the key was created.

Step 4: Checking the signature

– Click on the Trayicon of WinPT and select “File Manager”
– Click on File > Open to load the signature(s ) or drag and drop them into the window
– On multiple files, select those that should be processed
– Click on File > Check

Now the GUI shows an window that tells you,

– which signatures have been checked,
– if those signatures are valid,
– when the signatures have been made,
– what level of trust is set for each key,
– who is the owner of the key

Checking newer versions of the TorBrowserBundle or other bundles requires only Step 4.

There is a German version available.

%d bloggers like this: