[Discuss] Trying to install Tor on Fedora

[smallm at sdf.org (Mike Small)]

Nancy Allison <nancythewriter7 at gmail.com> writes:

> Hi, all. I sent this reply to Rich but forgot to include the list.
>
> I am your Test Case par excellence: someone trying to use Fedora who is not
> terribly technical. Can Linux be used by people for whom it is really a
> challenge, even things that to technical people are obvious? Here is a
> distillation of the later discussion with Rich.

The Tor project may be interested in your feedback. Maybe once you get
torbrowser going you could let them know where their instructions weren't
clear. My impression is they want their stuff to be accessible to
everyone, but it's not a huge project and they wouldn't have the money
to check if their instructions are useful to as large a cross section of
people as they would hope.

Also, it's not easy on Linux to give this kind of direction since we all
get to choose (as we should) what programs we'll use to access and run
other programs, e.g. what desktop environment, whether we like nautilus,
kde's file manager, or if we instead will run with something more spare
like twm and use rox-filer as the file manager. Or maybe someone prefers
to use a plan 9 text editor named acme, which makes a pretty decent file
manager as well, or to use emacs's dired mode, or only to use the
terminal to navigate. Point is, it's not possible to give the kind of
step by step instruction with screen shots you'll see in those very fat
books in the computer section and Barnes and Noble, because you can't
know exactly what people are running. The fallback is often to give
instructions one can run at a terminal program using the command
line. That's all that can be assumed to be universally available.

And Windows, in as much as it's simpler by foisting their mall
kioskesque disaster of a UI on everyone, still manages not to be that
great, in fact. Just the other day, on the laptop my employer makes
me run a proprietary operating system on I had to do this:

https://www.tenforums.com/browsers-email/101100-make-firefox-default-app-web-browser.html

I suppose myself to be fairly technical, but I could not figure that out
on my own. (Btw. for all the talk about Microsoft being Linux friendly
with WSL or whatever, I noted in this configuration screen a message
suggesting that by using firefox or anything other than MS's new browser
as the default that I may not be doing what's best for my system. That
would have provoked roars of disapproval back in the day. Maybe
Microsoft hasn't gotten better. Maybe we've just gotten used to even
worse treatement by the new 800 pound gorillas out there, the Apples and
the Google/Samsung/Verizon/Android "who does this phone belong to
anyway?" style environments.)

>
> I downloaded the Linux file from the Tor site and it opened automatically.
> The next step I need to take is

In case you want to do the verification step, I'll try to give
instructions to use at a command prompt (run a program named terminal or
xterm or gnome-terminal, whatever you can find along those lines in your
menus). There may be a UI to do this, but I'm not familiar with what's
out there like that. Once you've got a prompt up in such a terminal
emulator program you can type the commands below:

1. change directories to where the tor software archive and the
corresponding signature (.asc) was downloaded.
e.g. ...
cd Download

2. try running gpg to verify the file:

$ gpg --verify tor-browser-linux64-8.0.8_en-US.tar.xz.asc tor-browser-linux64-8.0.8_en-US.tar.xz
gpg: Signature made Fri 22 Mar 2019 07:47:17 PM EDT using RSA key ID D9FF06E2
gpg: Can't check signature: public key not found

3. Since you probably also don't have the public key from the tor
project in your key ring, get that. It kind of defeats the purpose of
this whole check, this fact, except that at least once you get the key
once your later checks will have it, so you'll at least narrow your
exposure to being fooled the first time you downloaded torbrowser, its
signature, and the public key needed to verify instead of having the
potential to be fooled every time you download torbrowser (future
upgrades).  To be safer, in theory, you could look across the signatures
of that public key until you arrive at someone's public key who you
recognize and trust.  I dunno, I tried this with the tor key the other
day and ran out of steam before reaching anyone I'd heard of to where I
had any kind of meaningful trust in the public key I retrieved. I mean,
I felt like is was close to linking up with Poul-Henning Kamp, a well
known FreeBSD developer with a known email, but I could only match up
one of the tor developer's key to his and not the one actually used to
sign the archive. PGP's web of trust kind of breaks down in cases like
these I think.

$ gpg --keyserver pgp.mit.edu --recv-keys D9FF06E2
gpg: requesting key D9FF06E2 from hkp server pgp.mit.edu
gpg: key 93298290: public key "Tor Browser Developers (signing key) <torbrowser at torproject.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

4. now try the verify command again. The results below mean the
signature matched. Ignore the warning (I guess it's in some way related
to this trust problem I alluded to above and a facility gpg has to let
you rate how trustworthy you figure the keys you've retrieved are, given
their connectedness to other keys you suppose are trustworthy):

$ gpg --verify tor-browser-linux64-8.0.8_en-US.tar.xz.asc tor-browser-linux64-8.0.8_en-US.tar.xz
gpg: Signature made Fri 22 Mar 2019 07:47:17 PM EDT using RSA key ID D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser at torproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

(if the commands above fail and say gpg doesn't exist maybe typing gpg2
will work.)

>
>> > 4. Run the start-tor-browser script.
>
> But I don't know how to do that. What is the file name of the script? There
> is no file called "script." Once I know what file it is, do I need to do
> something in the command window, like

The script's name is start-tor-browser.desktop.  Scroll down to the
section at this link with the heading Linux Instructions
https://2019.www.torproject.org/projects/torbrowser.html.en

If you're using the command line and are in the directory where the
archive you downloaded ended up and have done the command to extract its
files out onto your filesystem, then you can cd into tor-browser_en-US:

$ cd tor-browser_en-US/

>
>>
>> sudo run <script file name>
>>
>> Is that it?

Not quite. They don't want you to run sudo, which would run the command
as root. They only want you to run it normally, i.e. by entering its
name with a ./ in front of it (meaning to run the command with that name
that exists in the current directory instead of searching through your
path for it):

./start-tor-browser.desktop

At that point you should see a dialog box with two buttons. One says
connect and the other says Configure. If you don't have to run through a
proxy click on the Connect button. Now the browser starts.

Btw. if you weren't using the command line but a file manager to get to
the archive, probably you could have run just as well by double clicking
(or right clicking and finding some kind of extract popup menu option)
on the archive to extract it and then clicking on the tor-browser_en-US
sub-folder that got created from the extraction. There you would find
start-tor-browser.desktop and could double click (depending on your file
browser) that file named to start the tor browser.

I had a problem with this myself the other day when I first tried
setting it up. I wanted to configure it to use the tor relay set up on
my phone (using Orbot), which I use for internet, instead of running a
tor daemon locally. There seems no way to do that without hacking
around their wrapping scripts? Anyone know a simple way?


-- 
Mike Small
smallm at sdf.org