onionshare/docs/source/install.rst

Installation
============

Windows or macOS
----------------

You can download OnionShare for Windows and macOS from the `OnionShare website <https://onionshare.org/>`_.

.. _linux:

Install in Linux
----------------

There are various ways to install OnionShare for Linux, but the recommended way is to use either the `Flatpak <https://flatpak.org/>`_ or the `Snapcraft <https://snapcraft.io/>`_ package.
Flatpak and Snapcraft ensure that you'll always use the newest version and run OnionShare inside of a sandbox.

Snapcraft is built-in to Ubuntu and Flatpak is built-in to Fedora, but which you use is up to you. Both work in all Linux distributions.

**Install OnionShare using Flatpak**: https://flathub.org/apps/details/org.onionshare.OnionShare

**Install OnionShare using Snapcraft**: https://snapcraft.io/onionshare

You can also download and install a PGP-signed ``.flatpak`` or ``.snap`` packages from https://onionshare.org/dist/ if you prefer.

.. _verifying_sigs:

Verifying PGP signatures
------------------------

You can verify that the package you download is legitimate and hasn't been tampered with by verifying its PGP signature.
For Windows and macOS, this step is optional and provides defense in depth: the OnionShare binaries include operating system-specific signatures, and you can just rely on those alone if you'd like.

Signing key
^^^^^^^^^^^

Packages are signed by Micah Lee, the core developer, using his PGP public key with fingerprint ``927F419D7EC82C2F149C1BD1403C2657CD994F73``. You can download Micah's key `from the keys.openpgp.org keyserver <https://keys.openpgp.org/vks/v1/by-fingerprint/927F419D7EC82C2F149C1BD1403C2657CD994F73>`_.

You must have GnuPG installed to verify signatures. For macOS you probably want `GPGTools <https://gpgtools.org/>`_, and for Windows you probably want `Gpg4win <https://www.gpg4win.org/>`_.

Signatures
^^^^^^^^^^

You can find the signatures (``.asc`` files), as well as Windows, macOS, Flatpak, Snapcraft, and source packages, at https://onionshare.org/dist/ in the folders named for each version of OnionShare.
You can also find them on the `GitHub Releases page <https://github.com/micahflee/onionshare/releases>`_.

Verifying
^^^^^^^^^

Once you have imported Micah's public key into your GnuPG keychain, downloaded the binary, and downloaded the ``.asc`` signature, you can verify the binary for macOS in a terminal like this::

    gpg --verify OnionShare-2.2.pkg.asc OnionShare-2.2.pkg

Or for Windows, in a command-prompt like this::

    gpg.exe --verify onionshare-2.2-setup.exe.asc onionshare-2.2-setup.exe

The expected output looks like this::

    gpg: Signature made Tue 19 Feb 2019 09:25:28 AM AEDT using RSA key ID CD994F73
    gpg: Good signature from "Micah Lee <micah@micahflee.com>"
    gpg:                 aka "Micah Lee <micah@firstlook.org>"
    gpg:                 aka "Micah Lee <micah@freedom.press>"
    gpg:                 aka "Micah Lee <micah.lee@firstlook.org>"
    gpg:                 aka "Micah Lee <micah.lee@theintercept.com>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 927F 419D 7EC8 2C2F 149C  1BD1 403C 2657 CD99 4F73

If you don't see 'Good signature from', there might be a problem with the integrity of the file (malicious or otherwise), and you should not install the package. (The WARNING shown above, is not a problem with the package: it only means you haven't already defined any level of 'trust' of Micah's PGP key.)

If you want to learn more about verifying PGP signatures, guides for `Qubes OS <https://www.qubes-os.org/security/verifying-signatures/>`_ and the `Tor Project <https://support.torproject.org/tbb/how-to-verify-signature/>`_ may be helpful.
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00			`Installation`
			`============`

Install documentation reworked 2020-09-23 04:41:03 -04:00			`Windows or macOS`
			`----------------`
Make this just the docs website, not the full website 2020-08-26 23:14:12 -04:00
			You can download OnionShare for Windows and macOS from the `OnionShare website <https://onionshare.org/>`_.

Added info about bridges 2020-08-25 20:44:38 -04:00			`.. _linux:`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
Version bump to 2.3.dev2, and update Linux installation in docs 2020-11-08 23:45:54 -05:00			`Install in Linux`
			`----------------`

More updates to install docs 2020-11-15 17:00:36 -05:00			There are various ways to install OnionShare for Linux, but the recommended way is to use either the `Flatpak <https://flatpak.org/>`_ or the `Snapcraft <https://snapcraft.io/>`_ package.
			`Flatpak and Snapcraft ensure that you'll always use the newest version and run OnionShare inside of a sandbox.`
Version bump to 2.3.dev2, and update Linux installation in docs 2020-11-08 23:45:54 -05:00
			`Snapcraft is built-in to Ubuntu and Flatpak is built-in to Fedora, but which you use is up to you. Both work in all Linux distributions.`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
Version bump to 2.3.dev2, and update Linux installation in docs 2020-11-08 23:45:54 -05:00			`Install OnionShare using Flatpak: https://flathub.org/apps/details/org.onionshare.OnionShare`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
Version bump to 2.3.dev2, and update Linux installation in docs 2020-11-08 23:45:54 -05:00			`Install OnionShare using Snapcraft: https://snapcraft.io/onionshare`
Some design changes 2020-08-25 18:29:39 -04:00
Version bump to 2.3.dev2, and update Linux installation in docs 2020-11-08 23:45:54 -05:00			You can also download and install a PGP-signed ``.flatpak`` or ``.snap`` packages from https://onionshare.org/dist/ if you prefer.
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
			`.. _verifying_sigs:`

Make this just the docs website, not the full website 2020-08-26 23:14:12 -04:00			`Verifying PGP signatures`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00			`------------------------`

More updates to install docs 2020-11-15 17:00:36 -05:00			`You can verify that the package you download is legitimate and hasn't been tampered with by verifying its PGP signature.`
			`For Windows and macOS, this step is optional and provides defense in depth: the OnionShare binaries include operating system-specific signatures, and you can just rely on those alone if you'd like.`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
Make this just the docs website, not the full website 2020-08-26 23:14:12 -04:00			`Signing key`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00			`^^^^^^^^^^^`

Version bump to 2.3.dev2, and update Linux installation in docs 2020-11-08 23:45:54 -05:00			Packages are signed by Micah Lee, the core developer, using his PGP public key with fingerprint ``927F419D7EC82C2F149C1BD1403C2657CD994F73``. You can download Micah's key `from the keys.openpgp.org keyserver <https://keys.openpgp.org/vks/v1/by-fingerprint/927F419D7EC82C2F149C1BD1403C2657CD994F73>`_.
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
Install documentation reworked 2020-09-23 04:41:03 -04:00			You must have GnuPG installed to verify signatures. For macOS you probably want `GPGTools <https://gpgtools.org/>`_, and for Windows you probably want `Gpg4win <https://www.gpg4win.org/>`_.
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
			`Signatures`
			`^^^^^^^^^^`

More updates to install docs 2020-11-15 17:00:36 -05:00			You can find the signatures (``.asc`` files), as well as Windows, macOS, Flatpak, Snapcraft, and source packages, at https://onionshare.org/dist/ in the folders named for each version of OnionShare.
			You can also find them on the `GitHub Releases page <https://github.com/micahflee/onionshare/releases>`_.
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
			`Verifying`
			`^^^^^^^^^`

Install documentation reworked 2020-09-23 04:41:03 -04:00			Once you have imported Micah's public key into your GnuPG keychain, downloaded the binary, and downloaded the ``.asc`` signature, you can verify the binary for macOS in a terminal like this::
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
			`gpg --verify OnionShare-2.2.pkg.asc OnionShare-2.2.pkg`

Install documentation reworked 2020-09-23 04:41:03 -04:00			`Or for Windows, in a command-prompt like this::`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
			`gpg.exe --verify onionshare-2.2-setup.exe.asc onionshare-2.2-setup.exe`

Install documentation reworked 2020-09-23 04:41:03 -04:00			`The expected output looks like this::`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
			`gpg: Signature made Tue 19 Feb 2019 09:25:28 AM AEDT using RSA key ID CD994F73`
			`gpg: Good signature from "Micah Lee <micah@micahflee.com>"`
			`gpg: aka "Micah Lee <micah@firstlook.org>"`
			`gpg: aka "Micah Lee <micah@freedom.press>"`
			`gpg: aka "Micah Lee <micah.lee@firstlook.org>"`
			`gpg: aka "Micah Lee <micah.lee@theintercept.com>"`
			`gpg: WARNING: This key is not certified with a trusted signature!`
			`gpg: There is no indication that the signature belongs to the owner.`
			`Primary key fingerprint: 927F 419D 7EC8 2C2F 149C 1BD1 403C 2657 CD99 4F73`

Install documentation reworked 2020-09-23 04:41:03 -04:00			`If you don't see 'Good signature from', there might be a problem with the integrity of the file (malicious or otherwise), and you should not install the package. (The WARNING shown above, is not a problem with the package: it only means you haven't already defined any level of 'trust' of Micah's PGP key.)`
Add download links directly to the homepage 2020-08-25 18:07:48 -04:00
Install documentation reworked 2020-09-23 04:41:03 -04:00			If you want to learn more about verifying PGP signatures, guides for `Qubes OS <https://www.qubes-os.org/security/verifying-signatures/>`_ and the `Tor Project <https://support.torproject.org/tbb/how-to-verify-signature/>`_ may be helpful.