[Discuss] Trying to install Tor on Fedora

[nancythewriter7 at gmail.com (Nancy Allison)]

Thank you so much for this informative answer, Mike!

I foolhardily went ahead and did manage to run the installation file --
after John Abreau kindly helped me out and explained, among other things,
that Nautilus won't run an executable like the Tor starter file. When I
opened Gladiator or Warrior or Conquistador -- sorry, I don't have it in
front of me and Im forgetting the name -- another file manager, anyway --
and double-clicked the file, it RAN. Hallelujah! So now I have Tor!!!  For
a while, it kept wanting to download itself again but I hope that's over.
I'm kind of scared to reboot and see if it keeps doing that but tomorrow is
another day!

I will read over the rest of your email and definitely follow the PGP
steps, I want to understand that better.

Thank you again. Your helpfulness and John's and Rich's have been so
generous, I really appreciate it.

--Nancy



On Thu, May 9, 2019 at 4:09 PM Mike Small <smallm at sdf.org> wrote:

> Nancy Allison <nancythewriter7 at gmail.com> writes:
>
> > Hi, all. I sent this reply to Rich but forgot to include the list.
> >
> > I am your Test Case par excellence: someone trying to use Fedora who is
> not
> > terribly technical. Can Linux be used by people for whom it is really a
> > challenge, even things that to technical people are obvious? Here is a
> > distillation of the later discussion with Rich.
>
> The Tor project may be interested in your feedback. Maybe once you get
> torbrowser going you could let them know where their instructions weren't
> clear. My impression is they want their stuff to be accessible to
> everyone, but it's not a huge project and they wouldn't have the money
> to check if their instructions are useful to as large a cross section of
> people as they would hope.
>
> Also, it's not easy on Linux to give this kind of direction since we all
> get to choose (as we should) what programs we'll use to access and run
> other programs, e.g. what desktop environment, whether we like nautilus,
> kde's file manager, or if we instead will run with something more spare
> like twm and use rox-filer as the file manager. Or maybe someone prefers
> to use a plan 9 text editor named acme, which makes a pretty decent file
> manager as well, or to use emacs's dired mode, or only to use the
> terminal to navigate. Point is, it's not possible to give the kind of
> step by step instruction with screen shots you'll see in those very fat
> books in the computer section and Barnes and Noble, because you can't
> know exactly what people are running. The fallback is often to give
> instructions one can run at a terminal program using the command
> line. That's all that can be assumed to be universally available.
>
> And Windows, in as much as it's simpler by foisting their mall
> kioskesque disaster of a UI on everyone, still manages not to be that
> great, in fact. Just the other day, on the laptop my employer makes
> me run a proprietary operating system on I had to do this:
>
>
> https://www.tenforums.com/browsers-email/101100-make-firefox-default-app-web-browser.html
>
> I suppose myself to be fairly technical, but I could not figure that out
> on my own. (Btw. for all the talk about Microsoft being Linux friendly
> with WSL or whatever, I noted in this configuration screen a message
> suggesting that by using firefox or anything other than MS's new browser
> as the default that I may not be doing what's best for my system. That
> would have provoked roars of disapproval back in the day. Maybe
> Microsoft hasn't gotten better. Maybe we've just gotten used to even
> worse treatement by the new 800 pound gorillas out there, the Apples and
> the Google/Samsung/Verizon/Android "who does this phone belong to
> anyway?" style environments.)
>
> >
> > I downloaded the Linux file from the Tor site and it opened
> automatically.
> > The next step I need to take is
>
> In case you want to do the verification step, I'll try to give
> instructions to use at a command prompt (run a program named terminal or
> xterm or gnome-terminal, whatever you can find along those lines in your
> menus). There may be a UI to do this, but I'm not familiar with what's
> out there like that. Once you've got a prompt up in such a terminal
> emulator program you can type the commands below:
>
> 1. change directories to where the tor software archive and the
> corresponding signature (.asc) was downloaded.
> e.g. ...
> cd Download
>
> 2. try running gpg to verify the file:
>
> $ gpg --verify tor-browser-linux64-8.0.8_en-US.tar.xz.asc
> tor-browser-linux64-8.0.8_en-US.tar.xz
> gpg: Signature made Fri 22 Mar 2019 07:47:17 PM EDT using RSA key ID
> D9FF06E2
> gpg: Can't check signature: public key not found
>
> 3. Since you probably also don't have the public key from the tor
> project in your key ring, get that. It kind of defeats the purpose of
> this whole check, this fact, except that at least once you get the key
> once your later checks will have it, so you'll at least narrow your
> exposure to being fooled the first time you downloaded torbrowser, its
> signature, and the public key needed to verify instead of having the
> potential to be fooled every time you download torbrowser (future
> upgrades).  To be safer, in theory, you could look across the signatures
> of that public key until you arrive at someone's public key who you
> recognize and trust.  I dunno, I tried this with the tor key the other
> day and ran out of steam before reaching anyone I'd heard of to where I
> had any kind of meaningful trust in the public key I retrieved. I mean,
> I felt like is was close to linking up with Poul-Henning Kamp, a well
> known FreeBSD developer with a known email, but I could only match up
> one of the tor developer's key to his and not the one actually used to
> sign the archive. PGP's web of trust kind of breaks down in cases like
> these I think.
>
> $ gpg --keyserver pgp.mit.edu --recv-keys D9FF06E2
> gpg: requesting key D9FF06E2 from hkp server pgp.mit.edu
> gpg: key 93298290: public key "Tor Browser Developers (signing key) <
> torbrowser at torproject.org>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1  (RSA: 1)
>
> 4. now try the verify command again. The results below mean the
> signature matched. Ignore the warning (I guess it's in some way related
> to this trust problem I alluded to above and a facility gpg has to let
> you rate how trustworthy you figure the keys you've retrieved are, given
> their connectedness to other keys you suppose are trustworthy):
>
> $ gpg --verify tor-browser-linux64-8.0.8_en-US.tar.xz.asc
> tor-browser-linux64-8.0.8_en-US.tar.xz
> gpg: Signature made Fri 22 Mar 2019 07:47:17 PM EDT using RSA key ID
> D9FF06E2
> gpg: Good signature from "Tor Browser Developers (signing key) <
> torbrowser at torproject.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
>      Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2
>
> (if the commands above fail and say gpg doesn't exist maybe typing gpg2
> will work.)
>
> >
> >> > 4. Run the start-tor-browser script.
> >
> > But I don't know how to do that. What is the file name of the script?
> There
> > is no file called "script." Once I know what file it is, do I need to do
> > something in the command window, like
>
> The script's name is start-tor-browser.desktop.  Scroll down to the
> section at this link with the heading Linux Instructions
> https://2019.www.torproject.org/projects/torbrowser.html.en
>
> If you're using the command line and are in the directory where the
> archive you downloaded ended up and have done the command to extract its
> files out onto your filesystem, then you can cd into tor-browser_en-US:
>
> $ cd tor-browser_en-US/
>
> >
> >>
> >> sudo run <script file name>
> >>
> >> Is that it?
>
> Not quite. They don't want you to run sudo, which would run the command
> as root. They only want you to run it normally, i.e. by entering its
> name with a ./ in front of it (meaning to run the command with that name
> that exists in the current directory instead of searching through your
> path for it):
>
> ./start-tor-browser.desktop
>
> At that point you should see a dialog box with two buttons. One says
> connect and the other says Configure. If you don't have to run through a
> proxy click on the Connect button. Now the browser starts.
>
> Btw. if you weren't using the command line but a file manager to get to
> the archive, probably you could have run just as well by double clicking
> (or right clicking and finding some kind of extract popup menu option)
> on the archive to extract it and then clicking on the tor-browser_en-US
> sub-folder that got created from the extraction. There you would find
> start-tor-browser.desktop and could double click (depending on your file
> browser) that file named to start the tor browser.
>
> I had a problem with this myself the other day when I first tried
> setting it up. I wanted to configure it to use the tor relay set up on
> my phone (using Orbot), which I use for internet, instead of running a
> tor daemon locally. There seems no way to do that without hacking
> around their wrapping scripts? Anyone know a simple way?
>
>
> --
> Mike Small
> smallm at sdf.org
>