Git-Mirrors/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2024-12-25 23:39:43 -05:00
Code Issues Packages Projects Releases Wiki Activity

Install documentation reworked

Browse Source
This commit is contained in:
Allan Nordhøy 2020-09-23 08:41:03 +00:00 committed by GitHub
parent 437beef098
commit 72e115b15e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/source/install.rst
View File

@ -1,8 +1,8 @@
Installation Installation
============ ============
Install on Windows or macOS Windows or macOS
--------------------------- ----------------
You can download OnionShare for Windows and macOS from the `OnionShare website <https://onionshare.org/>`_. You can download OnionShare for Windows and macOS from the `OnionShare website <https://onionshare.org/>`_.
@ -10,10 +10,10 @@ For added security, see :ref:`verifying_sigs`.
.. _linux: .. _linux:
Install in Linux with Flatpak Linux with Flatpak
----------------------------- ------------------
There are various ways to install OnionShare for Linux, but the recommended way is to use the Flatpak package. Flatpak ensures that you'll always use the most latest dependencies and run OnionShare inside of a sandbox. There are various ways to install OnionShare for Linux, but the recommended way is to use the Flatpak package. Flatpak ensures that you'll always use the latest dependencies and run OnionShare inside of a sandbox.
Make sure you have ``flatpak`` installed and the Flathub repository added by following `these instructions <https://flatpak.org/setup/>`_ for your Linux distribution. Make sure you have ``flatpak`` installed and the Flathub repository added by following `these instructions <https://flatpak.org/setup/>`_ for your Linux distribution.
@ -24,14 +24,14 @@ Then install OnionShare from Flathub by following `the instructions here <https:
Verifying PGP signatures Verifying PGP signatures
------------------------ ------------------------
You can verify that the Windows, macOS, or source package you download is legitimate and hasn't been tampered with by verifying its PGP signature. For Windows and macOS, this step is optional and provides defense in depth: the installers also include their operating system-specific signatures, and you can just rely on those alone if you'd like. You can verify that the Windows, macOS, or the source package you download is legitimate and hasn't been tampered with by verifying its PGP signature. For Windows and macOS, this step is optional and provides defense in depth: the installers also include their operating system-specific signatures, and you can just rely on those alone if you'd like.
Signing key Signing key
^^^^^^^^^^^ ^^^^^^^^^^^
Windows, macOS, and source packaged are signed by Micah Lee, the core developer, using his PGP public key with fingerprint ``927F419D7EC82C2F149C1BD1403C2657CD994F73``. You can download Micah's key `from the keys.openpgp.org keyserver <https://keys.openpgp.org/vks/v1/by-fingerprint/927F419D7EC82C2F149C1BD1403C2657CD994F73>`_. Windows, macOS, and source packages are signed by Micah Lee, the core developer, using his PGP public key with fingerprint ``927F419D7EC82C2F149C1BD1403C2657CD994F73``. You can download Micah's key `from the keys.openpgp.org keyserver <https://keys.openpgp.org/vks/v1/by-fingerprint/927F419D7EC82C2F149C1BD1403C2657CD994F73>`_.
In order to verify signatures, you must have GnuPG installed. For macOS you probably want `GPGTools <https://gpgtools.org/>`_, and for Windows you probably want `Gpg4win <https://www.gpg4win.org/>`_. You must have GnuPG installed to verify signatures. For macOS you probably want `GPGTools <https://gpgtools.org/>`_, and for Windows you probably want `Gpg4win <https://www.gpg4win.org/>`_.
Signatures Signatures
^^^^^^^^^^ ^^^^^^^^^^
@ -41,15 +41,15 @@ You can find the signatures (``.asc`` files), as well as Windows, macOS, and sou
Verifying Verifying
^^^^^^^^^ ^^^^^^^^^
Once you have imported Micah's public key into your GnuPG keychain, downloaded the binary, and downloaded the ``.asc`` signature, you can verify the binary for macOS in terminal like this:: Once you have imported Micah's public key into your GnuPG keychain, downloaded the binary, and downloaded the ``.asc`` signature, you can verify the binary for macOS in a terminal like this::
gpg --verify OnionShare-2.2.pkg.asc OnionShare-2.2.pkg gpg --verify OnionShare-2.2.pkg.asc OnionShare-2.2.pkg
Or for Windows in a command prompt like this:: Or for Windows, in a command-prompt like this::
gpg.exe --verify onionshare-2.2-setup.exe.asc onionshare-2.2-setup.exe gpg.exe --verify onionshare-2.2-setup.exe.asc onionshare-2.2-setup.exe
An expected output might look like this:: The expected output looks like this::
gpg: Signature made Tue 19 Feb 2019 09:25:28 AM AEDT using RSA key ID CD994F73 gpg: Signature made Tue 19 Feb 2019 09:25:28 AM AEDT using RSA key ID CD994F73
gpg: Good signature from "Micah Lee <micah@micahflee.com>" gpg: Good signature from "Micah Lee <micah@micahflee.com>"
@ -61,6 +61,6 @@ An expected output might look like this::
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 927F 419D 7EC8 2C2F 149C 1BD1 403C 2657 CD99 4F73 Primary key fingerprint: 927F 419D 7EC8 2C2F 149C 1BD1 403C 2657 CD99 4F73
If you don't see 'Good signature from', then there might be a problem with the integrity of the file (malicious or otherwise), and you perhaps should not install the package. (The WARNING shown above, is not a problem with the package: it only means you have not defined any level of 'trust' regarding Micah's PGP key itself.) If you don't see 'Good signature from', there might be a problem with the integrity of the file (malicious or otherwise), and you should not install the package. (The WARNING shown above, is not a problem with the package: it only means you haven't already defined any level of 'trust' of Micah's PGP key.)
If you want to learn more about verifying PGP signatures, guides for `Qubes OS <https://www.qubes-os.org/security/verifying-signatures/>`_ and the `Tor Project <https://2019.www.torproject.org/docs/verifying-signatures.html.en>`_ may be helpful. If you want to learn more about verifying PGP signatures, guides for `Qubes OS <https://www.qubes-os.org/security/verifying-signatures/>`_ and the `Tor Project <https://support.torproject.org/tbb/how-to-verify-signature/>`_ may be helpful.