Little-t-tor

Attention: These instructions are meant for installing tor the network daemon i.e. little-t-tor. For instructions on installing Tor Browser, refer to Tor Browser user manual.

Admin access: To install Tor you need root privileges. Below all commands that need to be run as root user like apt and dpkg are prepended with '#', while commands to be run as user with '$' resembling the standard prompt in a terminal. To open a root terminal you have several options: sudo su, or sudo -i, or su -i. Note that sudo asks for your user password, while su expects the root password of your system.

Debian / Ubuntu

Do not use the packages in Ubuntu's universe. In the past they have not reliably been updated. That means you could be missing stability and security fixes.

  1. Configure Tor package repository

Enable the Tor Project APT repository by following the instructions.

  1. Package installation

    # apt install tor

Fedora

  1. Configure Tor Package repository

Enable the Tor Project's RPM package repository by following the instructions.

  1. Package installation

    # dnf install tor

FreeBSD

  1. Package installation

    # pkg install tor

OpenBSD

  1. Package installation

    # pkg_add tor

macOS

  1. Install a package manager

There are two package manager on OS X: Homebrew and Macports. You can use the package manager of your choice.

To install Homebrew follow the instructions on brew.sh.

To install Macports follow the instructions on macports.org/install.php.

  1. Package installation

If you are using Homebrew in a Terminal window, run:

# brew install tor

If you are using Macports in a Terminal window, run:

$ sudo port install tor

Arch Linux

  1. To install the tor package on Arch Linux, run:
# pacman -Syu tor

DragonFlyBSD

  1. Bootstrap pkg

DragonFlyBSD's daily snapshots and releases (starting with 3.4) come with pkg already installed. Upgrades from earlier releases, however, will not have it. If pkg is missing on the system for any reason, it can be quickly bootstrapped without having to build it from source or even having DPorts installed:

# cd /usr
# make pkg-bootstrap
# rehash
# pkg-static install -y pkg
# rehash

1.1 Recommended steps to setup pkg

Here, it will be similar to what we have on a FreeBSD system, and we are going to use HTTPS to fetch our packages, and updates - so here we also need an extra package to help us out (ca_root_nss).

Installing the ca_root_nss package:

# pkg install ca_root_nss

For fresh installations, the file /usr/local/etc/pkg/repos/df-latest.conf.sample is copied to /usr/local/etc/pkg/repos/df-latest. The files ending in the ".sample" extension are ignored; pkg(8) only reads files that end in ".conf" and it will read as many as it finds.

DragonflyBSD has 2 packages repositories:

  • Avalon (mirror-master.dragonflybsd.org);
  • Wolfpond (pkg.wolfpond.org).

We can simply edit the URL used to point out the repositories on /usr/local/etc/pkg/repos/df-latest and that's it! Remember to use pkg+https:// for Avalon.

After applying all these changes, we update the packages list again and try to check if there's already a new update to apply:

# pkg update -f
# pkg upgrade -y -f
  1. Package installation

Install the tor package:

# pkg install tor

NetBSD

  1. Setup pkg_add

Modern versions of the NetBSD operating system can be set to use pkgin, which is a piece of software aimed to be like apt or yum for managing pkgsrc binary packages. We are not convering its setup here, and opt to use plain pkg_add instead.

# echo "PKG_PATH=http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/$(uname -m)/$(uname -r)/All" > /etc/pkg_install.conf
  1. Package installation

Install tor NetBSD's package:

# pkg_add tor

Void Linux

To install the tor package on Void Linux, please run:

# xbps-install -S tor

Installing Tor from source

  1. Download latest release and dependencies

The latest release of Tor can be found on the download page.

If you're building from source, first install libevent, and make sure you have openssl and zlib (including the -devel packages if applicable).

  1. Install Tor

    tar -xzf tor-0.4.3.6.tar.gz; cd tor-0.4.3.6

    ./configure && make

Now you can run tor as src/app/tor (0.4.3.x and later), or you can run make install (as root if necessary) to install it into /usr/local/, and then you can start it just by running tor.

Attention: These instructions are to verify the tor source code. Please follow the right instructions to verify Tor Browser's signature.

Tandatangan digital adalah proses yang memastikan paket tertentu memang diterbitkan oleh pengembangnya dan tidak dirusak. Below we explain why it is important and how to verify that the tor source code you download is the one we have created and has not been modified by some attacker.

Each file on our download page is accompanied by two files which are labelled "checksum" and "sig" with the same name as the package and the extension ".sha256sum" and ".sha256sum.asc" respectively.

The .asc file will verify that the .sha256sum file (containing the checksum of the package) has not been tampered with. Once the signature has been validated (see below on how to do it), the package integrity can be validated with:

$ sha256sum -c *.sha256sum

These files allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "sig" and "checksum" link and selecting the "save file as" option.

For example, tor-0.4.6.7.tar.gz is accompanied by tor-0.4.6.7.tar.gz.sha256sum.asc. Ini adalah contoh nama berkas dan tidak akan sama persis dengan nama berkas yang Anda unduh.

Kami sekarang menunjukkan bagaimana Anda dapat memverifikasi tandatangan digital di berkas yang diunduh pada sistem operasi yang berbeda. Harap perhatikan bahwa tanda tangan diberi tanggal saat paket telah ditandatangani. Oleh karena itu setiap kali berkas baru diunggah, tanda tangan baru dibuat dengan tanggal yang berbeda. Selama Anda telah memverifikasi tanda tangan, Anda tidak perlu khawatir bahwa tanggal yang dilaporkan mungkin berbeda.

memasang GnuPG

Pertama-tama Anda harus memasang GnuPG sebelum Anda dapat memverifikasi tanda tangan.

Untuk pengguna Windows:

Jika Anda menggunakan Windows, unduh Gpg4win dan jalankan pemasangnya.

Untuk memverifikasi tanda tangan, Anda perlu mengetik beberapa perintah di baris perintah windows, cmd.exe.

Untuk pengguna macOS:

Jika Anda menggunakan macOS, Anda dapat memasang GPGTools.

Untuk memverifikasi tanda tangan, Anda perlu mengetikkan beberapa perintah di Terminal (di bawah "Aplikasi").

Untuk pengguna GNU/Linux:

Jika Anda menggunakan GNU/Linux, maka Anda mungkin sudah memiliki GnuPG di sistem Anda, karena sebagian besar distribusi GNU/Linux sudah dipasang sebelumnya.

In order to verify the signature you will need to type a few commands in a terminal window. How to do this will vary depending on your distribution.

Mengambil kunci Pengembang Tor

The following keys can sign the tarball. Don't expect them all, it can vary depending on who is available to make the release.

You can fetch the key with the links provided above or with:

$ gpg --auto-key-locate nodefault,wkd --locate-keys ahf@torproject.org
$ gpg --auto-key-locate nodefault,wkd --locate-keys dgoulet@torproject.org
$ gpg --auto-key-locate nodefault,wkd --locate-keys nickm@torproject.org

This should show you something like (for nickm):

gpg: key FE43009C4607B1FB: public key "Nick Mathewson <nickm@torproject.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa4096 2016-09-21 [C] [expires: 2025-10-04]
      2133BC600AB133E1D826D173FE43009C4607B1FB
uid           [ unknown] Nick Mathewson <nickm@torproject.org>
sub   rsa4096 2016-09-23 [S] [expires: 2025-10-04]
sub   rsa4096 2016-09-23 [E] [expires: 2025-10-04]

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.

Setelah mengimpor kunci, Anda dapat menyimpannya ke berkas (mengidentifikasi dengan sidik jari di sini):

$ gpg --output ./tor.keyring --export 0x2133BC600AB133E1D826D173FE43009C4607B1FB

Perintah ini menghasilkan kunci yang disimpan ke berkas yang ditemukan di jalur ./tor.keyring, yaitu di direktori saat ini. Jika ./tor.keyring tidak ada setelah menjalankan perintah ini, ada yang salah dan Anda tidak dapat melanjutkan sampai Anda mengetahui mengapa ini tidak berhasil.

Memverifikasi tanda tangan

To verify the signature of the package you downloaded, you will need to download the corresponding .sha256sum.asc signature file and the .sha256sum file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.

Contoh di bawah ini mengasumsikan bahwa Anda mengunduh dua berkas ini ke folder "Unduhan". Perhatikan bahwa perintah ini menggunakan contoh nama berkas dan milik Anda akan berbeda: Anda akan mengunduh versi yang berbeda dari 9.0 dan Anda mungkin tidak memilih versi bahasa Inggris (en-US).

Untuk pengguna Windows:

gpgv --keyring .\tor.keyring Downloads\tor-0.4.6.10.tar.gz.sha256sum.asc Downloads\tor-0.4.6.10.tar.gz.sha256sum

Untuk pengguna macOS:

gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum

For BSD/Linux users:

gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum

The result of the command should produce something like this (depending on which key signed it):

gpgv: Signature made Mon 16 Aug 2021 04:44:27 PM -03
gpgv:                using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601
gpgv: Good signature from "Nick Mathewson <nickm@torproject.org>"

Jika Anda mendapatkan galat kesalahan yang berisi 'Tidak ada berkas atau direktori seperti itu', kemungkian ada yang salah dengan salah satu langkah sebelumnya, atau Anda lupa bahwa perintah ini menggunakan contoh nama berkas dan milik Anda akan sedikit berbeda.

Anda mungkin juga ingin mempelajari lebih lanjut tentang GnuPG.

Verifying checksum

Now that we validated the signatures of the checksum, we need to verify the integrity of the package.

Untuk pengguna Windows:

certUtil -hashfile tor-0.4.6.10.tar.gz.sha256sum SHA256

Untuk pengguna macOS:

shasum -a 256 tor-0.4.6.10.tar.gz.sha256sum

For BSD/Linux users:

sha256sum -c tor-0.4.6.10.tar.gz.sha256sum