我该如何验证 Tor 浏览器的签名？

数字签名是一个确保某个包由其开发人员生成并且未被篡改的过程。 Below we explain why it is important and how to verify that the Tor Browser you download is the one we have created and has not been modified by some attacker.

Each file on our download page is accompanied by a file labelled "signature" with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures. 它们允许你验证你下载的文件正是我们希望你获取的文件。 This will vary by web browser, but generally you can download this file by right-clicking the "signature" link and selecting the "save file as" option.

例如： torbrowser-install-win64-9.0_en-US.exe 是与 torbrowser-install-win64-9.0_en-US.exe.asc一起的。 These are example file names and will not exactly match the file names that you download.

我们现在展示如何在不同的操作系统上验证下载文件的数字签名。 请注意数字签名是标注该包被签名的时间。 因此，每个新文件上传时，都会生成具有不同日期的新签名。 只要您验证了签名，就不必担心报告的日期可能有所不同。

首先你需要安装GnuPG才能验证签名。

如果您使用 Windows， 下载 Gpg4win并运行其安装包。

为了验证签名，您需要在 Windows 命令行（cmd.exe）中输入一些命令。

如果您正在使用 macOS，您可以安装 GPGTools。

为了验证签名，您需要在（“应用程序”下的）终端中输入一些命令

如果你使用 GNU/Linux，那么可能在你的系统中已经安装了 GnuPG，因为大多数 Linux 发行版都预装了它。

为了验证签名，您需要在终端窗口中输入一些命令。如何进行此操作将取决于您的发行版。

Tor 浏览器团队为 Tor 浏览器发行版签名。 导入Tor 浏览器开发者登录密钥(0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290)：

这会向您展示像这样的内容：

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. You might be able to import the key using the Workaround (using a public key) section instead.

After importing the key, you can save it to a file (identifying it by its fingerprint here):

This command results in the key being saved to a file found at the path ./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.

为了验证你下载的包的签名，除了安装文件本身，你还需要下载相应的“.asc”签名文件，并用一个命令让 GnuPG 验证你下载的文件。

下面的例子假设你已经下载了这样的两个文件到你的"下载"文件夹。 Note that these commands use example file names and yours will be different: you will have downloaded a different version than 9.0 and you may not have chosen the English (en-US) version.

命令的结果应该与以下输出相似的内容：

If you get error messages containing 'No such file or directory', either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.

如果您遇到了无法解决的问题，不妨下载并使用这个公钥来代替。或者，您还可以使用以下指令：

Tor Browser Developers key is also available on keys.openpgp.org and can be downloaded from https://keys.openpgp.org/vks/v1/by-fingerprint/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290. If you're using MacOS or GNU/Linux, the key can also be fetched by running the following command: ‪$ gpg --keyserver keys.openpgp.org --search-keys [email protected]

你也许会想了解更多关于 GnuPG。