[tor-talk] Bad signature of tor expert bundle
arma at torproject.org
Sat May 8 08:13:51 UTC 2021
On Sat, May 08, 2021 at 12:44:37PM +0800, Lu Wei wrote:
> I need a most recent version of the Windows Expert Bundle that could
> run on Windows XP. Version 0.4.5.7 do not work for me.
Firefox doesn't work on Win XP anymore, and so Tor Browser doesn't
In theory the Tor program itself (i.e. the one in the expert bundle)
might still work. You might need to build it yourself though.
Win XP is long dead and is now a terrible idea to run. So the safe
recommendation is "move to a better operating system", and if you want
to stick with that one, you'll have some work to do.
> > When I download the .asc file for 0.4.4.6 from archive.org, the file is
> > empty.
> > The version 0.4.4.6 package is available from Tor's archive site, and
> > the signature is valid:
> > https://archive.torproject.org/tor-package-archive/torbrowser/10.0.10/tor-win32-0.4.4.6.zip
> > https://archive.torproject.org/tor-package-archive/torbrowser/10.0.10/tor-win32-0.4.4.6.zip.asc
> Yes, but my point is why there are two tor-win32-0.4.4.6.zip files. Is
> there anything wrong with the file on archive.org? That would cast a
> cloud of suspicion on archive.org's credibility.
I just fetched your archive.org version of the tor 0.4.4.6.zip file,
and it matched the one I got from archive.torproject.org. The sha1sum
in both cases is e0a17cc7d2f51dc75f6fea496c44096e32e054bf. The signature
file I got from archive.org also checks out.
I notice that your original archive.org url was an http url, not an
https url. So all sorts of things might have happened that could mean
you never made it to the real archive.org site at all.
But from Matt's mail, it looks like something was going wrong with
fetching the archive.org versions of those files a few weeks back. All
the more reason to use the real Tor archive.
More information about the tor-talk