数字签名是一个确保某个包由其开发人员生成并且未被篡改的过程。 下面我们解释为什么它很重要,以及如何验证您下载的 Tor 程序是我们创建的,并且未被某些攻击者修改过的程序。

Each file on our download page is accompanied by a file labelled "signature" with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures. 它们允许你验证你下载的文件正是我们希望你获取的文件。 This will vary by web browser, but generally you can download this file by right-clicking the "signature" link and selecting the "save file as" option.

例如: torbrowser-install-win64-9.0_en-US.exe 是与 torbrowser-install-win64-9.0_en-US.exe.asc一起的。 These are example file names and will not exactly match the file names that you download.

我们现在展示如何在不同的操作系统上验证下载文件的数字签名。 请注意数字签名是标注该包被签名的时间。 因此,每个新文件上传时,都会生成具有不同日期的新签名。 只要您验证了签名,就不必担心报告的日期可能有所不同。

正在安装 GnuPG

首先你需要安装GnuPG才能验证签名。

对于 Windows 的用户:

如果您使用 Windows, 下载 Gpg4win并运行其安装包。

为了验证签名,您需要在 Windows 命令行(“cmd.exe")中输入一些命令。

对于 macOS 的用户:

If you are using macOS, you can install GPGTools.

为了验证签名,您需要在(“应用程序”下的)终端中输入一些命令

对于 GNU/Linux 的用户:

如果你使用 GNU/Linux,那么可能在你的系统中已经安装了 GnuPG,因为大多数 Linux 发行版都预装了它。

为了验证签名,您需要在终端窗口中输入一些命令。如何进行此操作将取决于您的发行版。

正在提取 Tor 开发者密钥

Tor 浏览器团队为 Tor 浏览器发行版签名。 导入Tor 浏览器开发者登录密钥(0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):

gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

这会向您展示像这样的内容:

gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa4096 2014-12-15 [C] [expires: 2025-07-21]
      EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid           [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub   rsa4096 2018-05-26 [S] [expires: 2020-12-19]

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.

After importing the key, you can save it to a file (identifying it by its fingerprint here):

gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

This command results in the key being saved to a file found at the path ./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.

验证签名

为了验证你下载的包的签名,除了安装文件本身,你还需要下载相应的“.asc”签名文件,并用一个命令让 GnuPG 验证你下载的文件。

下面的例子假设你已经下载了这样的两个文件到你的"下载"文件夹。 Note that these commands use example file names and yours will be different: you will have downloaded a different version than 9.0 and you may not have chosen the English (en-US) version.

对于 Windows 的用户:

gpgv --keyring .\tor.keyring Downloads\torbrowser-install-win64-9.0_en-US.exe.asc Downloads\torbrowser-install-win64-9.0_en-US.exe

对于 macOS 的用户:

gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-9.0-osx64_en-US.dmg.asc ~/Downloads/TorBrowser-9.0-osx64_en-US.dmg

对于 GNU/Linux 的用户(如果您有32位的安装包,请将64转为32)

gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-linux64-9.0_en-US.tar.xz.asc ~/Downloads/tor-browser-linux64-9.0_en-US.tar.xz

命令的结果应该与以下输出相似的内容:

gpgv: Signature made 07/08/19 04:03:49 Pacific Daylight Time
gpgv: using RSA key EB774491D9FF06E2
gpgv: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"

If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.

更多操作(使用公钥)

如果您遇到了无法解决的问题,不妨下载并使用这个公钥来代替。或者,您还可以使用以下指令:

curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -

你也许会想了解更多关于GnuPG