How can I verify tor source code?

Attention: These instructions are to verify the tor source code. Please follow the right instructions to verify Tor Browser's signature.

数字签名是一个确保某个包由其开发人员生成并且未被篡改的过程。 Below we explain why it is important and how to verify that the tor source code you download is the one we have created and has not been modified by some attacker.

Each file on our download page is accompanied by two files which are labelled "checksum" and "sig" with the same name as the package and the extension ".sha256sum" and ".sha256sum.asc" respectively.

The .asc file will verify that the .sha256sum file (containing the checksum of the package) has not been tampered with. Once the signature has been validated (see below on how to do it), the package integrity can be validated with:

$ sha256sum -c *.sha256sum

These files allow you to verify the file you've downloaded is exactly the one that we intended you to get. This will vary by web browser, but generally you can download this file by right-clicking the "sig" and "checksum" link and selecting the "save file as" option.

For example, tor-0.4.6.7.tar.gz is accompanied by tor-0.4.6.7.tar.gz.sha256sum.asc. 这些是示例文件名，并不会与你所下载的文件名完全一致。

我们现在展示如何在不同的操作系统上验证下载文件的数字签名。 请注意数字签名是标注该包被签名的时间。 因此，每个新文件上传时，都会生成具有不同日期的新签名。 只要您验证了签名，就不必担心报告的日期可能有所不同。

安装 GnuPG

首先你需要安装 GnuPG 才能验证签名。

对于 Windows 的用户：

如果您使用 Windows， 下载 Gpg4win并运行其安装包。

为了验证签名，您需要在 Windows 命令行（cmd.exe）中输入一些命令。

对于 macOS 的用户：

如果您正在使用 macOS，您可以安装 GPGTools。

为了验证签名，您需要在（“应用程序”下的）终端中输入一些命令。

对于 GNU/Linux 的用户：

如果你使用 GNU/Linux，那么可能在你的系统中已经安装了 GnuPG，因为大多数 Linux 发行版都预装了它。

In order to verify the signature you will need to type a few commands in a terminal window. How to do this will vary depending on your distribution.

获取 Tor 开发者密钥

The following keys can sign the tarball. Don't expect them all, it can vary depending on who is available to make the release.

• Alexander Færøy: 514102454D0A87DB0767A1EBBE6A0531C18A9179
• David Goulet: B74417EDDF22AC9F9E90F49142E86A2A11F48D36
• Nick Mathewson: 2133BC600AB133E1D826D173FE43009C4607B1FB

You can fetch the key with the links provided above or with:

$ gpg --auto-key-locate nodefault,wkd --locate-keys ahf@torproject.org
$ gpg --auto-key-locate nodefault,wkd --locate-keys dgoulet@torproject.org
$ gpg --auto-key-locate nodefault,wkd --locate-keys nickm@torproject.org

This should show you something like (for nickm):

gpg: key FE43009C4607B1FB: public key "Nick Mathewson <nickm@torproject.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa4096 2016-09-21 [C] [expires: 2025-10-04]
      2133BC600AB133E1D826D173FE43009C4607B1FB
uid           [ unknown] Nick Mathewson <nickm@torproject.org>
sub   rsa4096 2016-09-23 [S] [expires: 2025-10-04]
sub   rsa4096 2016-09-23 [E] [expires: 2025-10-04]

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.

导入密钥后，你可以将其保存到文件中（通过这里的指纹来识别它）：

$ gpg --output ./tor.keyring --export 0x2133BC600AB133E1D826D173FE43009C4607B1FB

这条命令的结果是，密钥被保存在路径为./tor.keyring的文件中，也就是在当前目录中。 如果运行这个命令后./tor.keyring不存在，就说明出了问题，你不能继续操作，直到你弄清楚为什么会出现错误。

验证签名

To verify the signature of the package you downloaded, you will need to download the corresponding .sha256sum.asc signature file and the .sha256sum file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.

下面的例子假设你已经下载了这样的两个文件到你的"下载"文件夹。 请注意，这些命令使用的是示例文件名，而你的文件名会有所不同：你下载的版本与 9.0 不同，且你可能没有选择英文（en-US）版本。

对于 Windows 的用户：

gpgv --keyring .\tor.keyring Downloads\tor-0.4.6.10.tar.gz.sha256sum.asc Downloads\tor-0.4.6.10.tar.gz.sha256sum

对于 macOS 的用户：

gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum

For BSD/Linux users:

gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum

The result of the command should produce something like this (depending on which key signed it):

gpgv: Signature made Mon 16 Aug 2021 04:44:27 PM -03
gpgv:                using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601
gpgv: Good signature from "Nick Mathewson <nickm@torproject.org>"

如果你得到包含 "No such file or directory"的错误信息，要么是前面的某个步骤出了问题，要么是你忘记了这些命令使用的是示例文件名，而你的文件名会与此不同。

你可能还想了解有关 GnuPG 的详细信息。

Verifying checksum

Now that we validated the signatures of the checksum, we need to verify the integrity of the package.

对于 Windows 的用户：

certUtil -hashfile tor-0.4.6.10.tar.gz.sha256sum SHA256

对于 macOS 的用户：

shasum -a 256 tor-0.4.6.10.tar.gz.sha256sum

For BSD/Linux users:

sha256sum -c tor-0.4.6.10.tar.gz.sha256sum