[tbb-bugs] #24683 [Applications/Tor Browser]: Sig file verification fail

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Dec 20 18:11:08 UTC 2017

#24683: Sig file verification fail
 Reporter:  xninaznx                  |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by xninaznx):

 Sorry, I'm not sure how to do that. I used GPG to import your key and
 tried to verify the sig file in a terminal.

 gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
 gpg: key 4E2C6E8793298290: 41 duplicate signatures removed
 gpg: key 4E2C6E8793298290: 141 signatures not checked due to missing keys
 gpg: key 4E2C6E8793298290: 1 signature reordered
 gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key)
 <torbrowser at torproject.org>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1
 z:~ n$ gpg --fingerprint 0x4E2C6E8793298290
 pub   rsa4096 2014-12-15 [C] [expires: 2020-08-24]
       EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
 uid           [ unknown] Tor Browser Developers (signing key)
 <torbrowser at torproject.org>
 sub   rsa4096 2016-08-24 [S] [expires: 2018-08-24]

 z:~ n$ gpg --verify ~/Downloads/TorBrowser-7.0.11-osx64_en-US.dmg{.asc*,}
 gpg: Signature made Fri Dec  8 05:00:23 2017 EST
 gpg:                using RSA key D1483FA6C3C07136
 gpg: BAD signature from "Tor Browser Developers (signing key)
 <torbrowser at torproject.org>" [unknown]

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24683#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list