[tor-talk] Problems? Verifying signatures in Tor 4.0.4

Alexandros irregulator at riseup.net
Thu Feb 26 13:15:49 UTC 2015


On 02/26/2015 03:02 PM, andre76 at fastmail.fm wrote:
> Is there anything that's wrong about the gpg verification performed on
> the version 4.0.4 as seen in the text below?
> It's quite different from previous Tor versions. No Erinn Clark.
> 
> 
> 
> $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc                
> gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
> F65C2036
> gpg: Good signature from "Tor Browser Developers (signing key)
> <torbrowser at torproject.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329
> 8290
>      Subkey fingerprint: 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C
>      2036
> 

Hi,

please read https://blog.torproject.org/blog/tor-browser-404-released

Tor Browser is signed with a different key. You should the new public
key in order to verify the signatures.

gpg --recv-keys 'EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150226/893266a0/attachment.sig>


More information about the tor-talk mailing list