4

Downloading

  • sha256sums.txt
  • downloading one or more signatures
  • the archive itself

Then verifying each signature one by one. Then creating the sha256 of the archive. Then looking into the sha256sums.txt file if the sha256 sum matches. These are a lot steps. Kinda more cumbersome than verifying TBB 2.x (where you just verify the archive with a signature).

Can the required steps be reduced a bit without sacrificing security? Is shasums --check helpful?

If you want, feel free to edit this question and make it Linux/CLI specific if its too broad.

adrelanos
  • 2,847
  • 2
  • 20
  • 35
  • Could you please include the links to these files? They are not in /dist of the Tor site. –  Oct 24 '13 at 12:46
  • https://blog.torproject.org/blog/tor-browser-bundle-30alpha4-released https://archive.torproject.org/tor-package-archive/torbrowser/3.0a4/ – adrelanos Oct 24 '13 at 19:46

1 Answers1

1

This could be scripted.

!/bin/sh

d=https://archive.torproject.org/tor-package-archive/torbrowser/3.0a4/
z=TorBrowserBundle-3.0-alpha-4-osx32_de.zip

wget --no-check-certificate $d/$z
wget --no-check-certificate $d/sha256sums.txt
for u in dcf erinn gk ln5 mp
do
    wget --no-check-certificate $d/sha256sums.txt.$u-asc
done 

verified=1
for asc in *-asc
do
    gpg --verify $asc sha256sums.txt
    v=$?
    [[ $v -eq 0 ]] && verified=0
done

if [[ $verified -eq 0 ]]
then
    t=$(mktemp -t sha)
    grep $z sha256sums.txt > $t
    shasum -c $t
    rm $t
else
    echo no signature could be verified
fi

This works on Mac OS X with all the tools installed from MacPorts.