Search Mailing List Archives
[liberationtech] Gpg4win woes
scott at arciszewski.me
Fri Oct 11 08:32:27 PDT 2013
TL;DR - Gpg4win is unusable for the average internet user
Okay, I had a hard drive die on me a couple of weeks ago and I just
reinstalled Windows and all the drivers on it last night. This morning when
I was installing software, I thought I'd install gpg4win before Tor Browser
Bundle and see if I could verify the signature since I've heard complaints
that nobody ever does it.
And this is what happened:
@r00tcore was kind enough to point out that there is documentation that
basically says "Yes it's OK." Confusing.
So I try it with GPA instead, following the instructions on the attached
documentation. This is what I get:
There was no hand-waving in the documentation for this error.
So this leads me to believe one of two things:
1) I've somehow found myself at the top of a nation state actor's hit list
and am actively being targeted by all sorts of attacks (MITM, rogue
certificate, etc.). Or the more likely...
2) I'm doing something terribly wrong, and there is no way for me to figure
out what exactly that is.
I'm relatively sure that I have more patience than an average internet user
(the Facebook addict variant, anyway), and I'm about fed up with it. It's
easier to do gpg from the command line on Linux than to do it from a GUI on
Here are the problems I faced when I attempted to perform this simple task:
"Verify the signature on the Tor Browser Bundle."
1. Where is the public key used to verify the signature? I couldn't click
and find this, I had to actually search on Google. I saw a @matthew_d_green
tweet the other day that said something akin to, "Every click of the mouse
loses half of your users," when talking about default settings. The Tor
project links to the signature for each package on the downloads page, but
any reference to their public key is hidden from the public's eye.
2. Kleopatra (the program that pops up when you right click > More GpgEX
options > Verify) was perfectly happy to announce that there was no GPG
data in the .exe when I attempted to verify it directly. While this might
be silly to hackers, users will do this! Adding language that says "Please
make sure you select the signature file, not the message or executable,"
will help move things along. Making a system that intelligently goes, "Oh,
you probably meant file.exe.asc not file.exe, since they're both in the
same folder," even if it asks the user to verify the correction instead of
blindly switching it out, would also be a huge boon for usability.
3. Kleopatra scared me into believing that the signature was invalid, then
documentation told me it was OK. Then GPA told me the signature was bad.
Now I don't know what to believe or what to do next. I've fallen straight
through the cracks.
In closing, if the Tor website was designed to make signature verification
easier, it was much easier to verify packages on Windows from Explorer, and
Kleopatra and GPA used language to help users better troubleshoot issues, I
think asking the average user to verify their packages would be a much less
Since this is long, I'm sticking the TL;DR in the beginning.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech