Ο έλεγχος της ψηφιακής υπογραφής είναι μια διαδικασία επιβεβαίωσης πως το αρχείο είναι αυθεντικό και δεν έχει υποστεί αλλοιώσεις.
Below we explain why it is important and how to verify that the Tor Browser you download is the one we have created and has not been modified by some attacker.
Each file on our download page is accompanied by a file labelled "signature" with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures.
Σας επιτρέπει να επιβεβαιώσετε πως το αρχείο που κάνατε λήψη είναι αυθεντικό.
This will vary by web browser, but generally you can download this file by right-clicking the "signature" link and selecting the "save file as" option.
Για παράδειγμα, τοtor-browser-windows-x86_64-portable-13.0.1.exe συνοδεύεται από το tor-browser-windows-x86_64-portable-13.0.1.exe.asc.
These are example file names and will not exactly match the file names that you download.
We now show how you can verify the downloaded file's digital signature on different operating systems.
Please notice that a signature is dated the moment the package has been signed.
Therefore every time a new file is uploaded a new signature is generated with a different date.
As long as you have verified the signature you should not worry that the reported date may vary.
Εγκατάσταση GnuPG
First of all you need to have GnuPG installed before you can verify signatures.
Για χρήστες Windows:
If you run Windows, download Gpg4win and run its installer.
In order to verify the signature you will need to type a few commands in windows command-line, cmd.exe.
Για χρήστες macOS:
Εάν χρησιμοποιείτε macOS, μπορείτε να εγκαταστήσετε το GPGTools.
In order to verify the signature you will need to type a few commands in the Terminal (under "Applications").
Για χρήστες GNU/Linux:
If you are using GNU/Linux, then you probably already have GnuPG in your system, as most GNU/Linux distributions come with it preinstalled.
In order to verify the signature you will need to type a few commands in a terminal window. How to do this will vary depending on your distribution.
Ανάκτηση κλειδιού Tor Developers
Η ομάδα του Tor Browser υπογράφει τις εκδόσεις του Tor Browser.
Εισαγάγετε το κλειδί υπογραφής του Tor Browser Developers (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
Αυτό θα πρέπει να σας δείξει κάτι σαν:
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
pub rsa4096 2014-12-15 [C] [expires: 2025-07-21]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub rsa4096 2018-05-26 [S] [expires: 2020-12-19]
If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.
After importing the key, you can save it to a file (identifying it by its fingerprint here):
gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
This command results in the key being saved to a file found at the path ./tor.keyring, i.e. in the current directory.
If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.
Επιβεβαίωση υπογραφής
To verify the signature of the package you downloaded, you will need to download the corresponding ".asc" signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder.
Σημειώστε ότι αυτές οι εντολές χρησιμοποιούν παραδείγματα ονομάτων αρχείων και τα δικά σας θα είναι διαφορετικά: θα πρέπει να αντικαταστήσετε τα παραδείγματα ονομάτων αρχείων με τα ακριβή ονόματα των αρχείων που έχετε κατεβάσει.
Για χρήστες Windows (αλλάξτε το x86_64 σε i686 εάν έχετε το πακέτο 32-bit):
gpgv --keyring .\tor.keyring Downloads\tor-browser-windows-x86_64-portable-13.0.1.exe.asc Downloads\tor-browser-windows-x86_64-portable-13.0.1.exe
Για χρήστες macOS:
gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-macos-13.0.1.dmg.asc ~/Downloads/tor-browser-macos-13.0.1.dmg
Για χρήστες GNU/Linux (αλλάξτε το x86_64 σε i686 εάν έχετε το πακέτο 32-bit):
gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz.asc ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz
Το αποτέλεσμα της εντολής πρέπει να περιέχει:
gpgv: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.
Ανανέωση του κλειδιού PGP
Run the following command to refresh the Tor Browser Developers signing key in your local keyring from the keyserver. This will also fetch the new subkeys.
gpg --refresh-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
Επίλυση (με χρήση δημόσιου κλειδιού)
If you encounter errors you cannot fix, feel free to download and use this public key instead. Alternatively, you may use the following command:
curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -
Tor Browser Developers key is also available on keys.openpgp.org and can be downloaded from https://keys.openpgp.org/vks/v1/by-fingerprint/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.
If you're using MacOS or GNU/Linux, the key can also be fetched by running the following command:
gpg --keyserver keys.openpgp.org --search-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
Μπορεί επίσης να θέλετε να μάθετε περισσότερα για το GnuPG.