I wanted to try using TOR on my new Linux Mint 18.1 installation. So I apt-get installed torbrowser-launcher and tor, then ran torbrowser-launcher. It opened a dialog box and showed me it was downloading the TOR browser; but when it was done, it said it had failed the signature check and that I may be “under attack” (oh my!).
Now, it’s quite unlikely I’m under some attack personally (I’m not important enough for that), so I’m guessing either it’s some technical glitch, or, what would be possible although far far less likely, a man-in-the-middle attack covering my ISP rather than myself individually, nefarious government surveillance or what-not.
How can I tell? What should I do?
By the way, the URLs downloaded are:
https://dist.torproject.org/torbrowser/6.5/tor-browser-linux64-6.5_en-US.tar.xz.asc
https://dist.torproject.org/torbrowser/6.5/tor-browser-linux64-6.5_en-US.tar.xz
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
It’s not an attack, just an outdated key.
There’s a issue report on this matter over at the GitHub repository.
A workaround reported there, which works for some systems if not all, is to run:
gpg --homedir "$HOME/.local/share/torbrowser/gnupg_homedir/" --refresh-keys --keyserver pgp.mit.edu
before torbrowser-launcher. Then it works. It’s quite possible that what Kusalananda suggested would also work, but I can’t check that unless I undo the key update.
Method 2
When I download the the signature and the compressed archive, fetch the key from a keyserver, and verify the signature:
$ gpg2 --recv-key D1483FA6C3C07136
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e89c879a8a9a879f9b8d9aa89c879a989a87828d8b9cc6879a8f">[email protected]</a>>" imported
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Total number processed: 1
gpg: imported: 1
$ gpg2 --verify tor-browser-linux64-6.5_en-US.tar.xz.asc
gpg: assuming signed data in 'tor-browser-linux64-6.5_en-US.tar.xz'
gpg: Signature made Tue Jan 24 15:42:49 2017 CET
gpg: using RSA key D1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) <<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e89c879a8a9a879f9b8d9aa89c879a989a87828d8b9cc6879a8f">[email protected]</a>>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
So, the signature is good. I suggest that you try again, or investigate if this is the same issue as reported in the Tor Browser issue tracker (issue 263).
How did I know what key to verify with?
I first ran the verification without fetching any key and got:
gpg: assuming signed data in 'tor-browser-linux64-6.5_en-US.tar.xz' gpg: Signature made Tue Jan 24 15:42:49 2017 CET gpg: using RSA key D1483FA6C3C07136 gpg: Can't check signature: No public key
Then I checked D1483FA6C3C07136 against the key IDs listed on the Tor project’s site and found that it was indeed the correct key: https://www.torproject.org/docs/signing-keys.html.en
This is, I believe, as close as I can get to knowing that the archive wasn’t tampered with without meeting the developers face to face and having them personally hand me a USB stick with the software.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0