Tor Distros Repository Problems (serious!)

wirelesssnowman at wirelesssnowman at
Tue Jan 18 03:46:07 UTC 2011

Point 1: Binaries (DEBs/RPMs) are NOT correctly signed!

Demonstration of point 1:

Download a current Tor binary (rpm or deb file) from Tor's official repositories. Next, download the file. Finally, download the .asc file for the Tor binary version you've downloaded.

Compare these files: *AND* the .asc file from the binary's repo dir

*BOTH* files are *EXACTLY* the *SAME*! They are the public key from
the would be signer, but the .asc files are NOT the correctly signed
files from the signer's public key. The .asc files are WORTHLESS and
gpg issues an error if you try and verify the .asc files:

#gpg: verify signatures failed: Unexpected error

Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in !

Point 2: No checksums available for the binaries!

Demonstration of point 2: Within your web browser, navigate the directory
tree for the Tor official binaries. 

Example: a distro)

No md5, sha1, sha256, or better checksums are available for verification!!


This is a simple task, the public key holder for the binaries should, can,
and, if we are to place any trust in the binaries coming from a trusted
source, PROPERLY SIGN THEM and generate checksums for the binaries. This
process only takes a few minutes for each release, and when you take in
mind how important this simple process is for each release, it should be
MANDATORY a CAPABLE person is staffed to COMPLETE this process EVERY TIME!

I understand how a repository should be used, but consideration must be made
for those who download files manually and attempt to verify vs. allowing their package manager to do the work with the repos/files.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list