[tor-talk] TBB 7.5.5 detached .asc file isn't encrypted or tar

Georg Koppen gk at torproject.org
Tue Jun 12 07:25:00 UTC 2018


Joe:
> The detached .asc signature file for linux-64 is
> "tor-browser-linux64-7.5.5_en-US.tar.xz.asc"
> GPG complains it can't verify:
> 
> gpg: can't open `tor-browser-linux64-7.5.5_en-US.tar.xz.asc'
> gpg: verify signatures failed: file open error
> 
> Was a different key used to sign TBB 7.5.5 (linux64) than used for 7.5.3?
> 
> Note: it says "can't open the .asc file," not that it's a bad signature.
> The files are in the same directory in my ~/Downloads directory.
> TBB D/L version 7.5.3 verifies OK with the .asc file on Tor Project's
> D/L page.  I checked it again today, using the same GPG version on my
> system.
> 
> I'm not sure if it has to do with the GnuPG version that Tor Project
> used to sign the file & create the detached signature and my gpg
> version, 1.4.20, or another key that I don't have was used to sign this
> time ?
> 
> The TBB 7.5.5 .asc file (nor v7.5.3) doesn't show the GnuPG version used
> , like often seen in other .asc files, e.g., "Version: GnuPG v2.0.14."

Yes, that's a feature. If you are interested

https://riseup.net/en/security/message-security/openpgp/best-practices

has some hints on how to improve your GnuPG setup.

> I verify signed files all the time (that used GnuPG 2.0.x to sign) & GPG
> never complained it "couldn't open a signature file" with the same
> naming convention as the v7.5.5 program file and its .asc file.

What does

gpg --verify tor-browser-linux64-7.5.5_en-US.tar.xz.asc
tor-browser-linux64-7.5.5_en-US.tar.xz

say in your terminal?

Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20180612/1fdfaa32/attachment.sig>


More information about the tor-talk mailing list