[Solved] Tor browser installation: Signature verification failed.

Forum Forums New users New Users and General Questions [Solved] Tor browser installation: Signature verification failed.

  • This topic has 9 replies, 3 voices, and was last updated Aug 30-8:29 am by ModdIt.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #40866
    Member
    Avataranilkagi

    Hello there,

    I tried to install Tor browser with synaptic. There are two packages on the synaptic, Tor Browser & Tor browser launcher settings.

    I installed both. The Tor Browser in the synaptic is not the actual browser but it is the installer. I have successfully installed and used Tor browser by that method before, but of late it is giving the error: “signature verification failed error”.

    I then changed the Tor browser launcher settings; I checked the ‘Download over system Tor’ box > Install Tor Browser. That too did not succeed.

    I checked the web for solutions and found a few solutions there.

    One solution was;

    This is due to an outdated key for verifying the torbrowser-launcher download. Try: gpg --homedir "$HOME/.local/share/torbrowser/gnupg_homedir/" --refresh-keys --keyserver pgp.mit.edu

    The other solution was;

    It's fixed in the latest version of torbrowser-launcher. Add the author's PPA to get the update: sudo add-apt-repository ppa:micahflee/ppa

    Another was;

    gpg --homedir "$HOME/.local/share/torbrowser/gnupg_homedir" --refresh-keys --keyserver keyserver.ubuntu.com

    Another was;

    Completely purge tor and install the tor browser bundle from torproject.org.

    Another was;

    curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -

    I was skeptical about these solutions because I do not know if it is the proper method to adopt on antiX.

    The torproject.org site gives the following solution;

    The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
    
    gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
    
    If ./tor.keyring doesn't exist after running this command, something has gone wrong and you cannot continue until you've figured out why this didn't work.

    That was exactly what happened to me. The ./tor.keyring doesn’t exist after running the above command. Next, the site gives a workaround.

    
    Workaround (using a public key)
    
    If you encounter errors you cannot fix, feel free to download and use this public key instead. Alternatively, you may use the following command:
    
    curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -

    Then there is another solution given on that site.

    
    To use source lines with https:// in /etc/apt/sources.list the apt-transport-https package is required. I installed it on synaptic.
    
    Then add this line to your /etc/apt/sources.list file:
    
        deb     https://deb.torproject.org/torproject.org buster main
    
    sudo apt-get update
    sudo apt-get upgrade
    
    Install signing key together with tor:
    
    # apt install tor deb.torproject.org-keyring

    All these solutions were not at all necessary if the signature verification did not fail in the regular method of installing with installer, installed with synaptic. It was easy and nice method. I have installed Tor by that method successfully before.

    What is the way out?

    • This topic was modified 7 months, 2 weeks ago by anilkagi.
    #40867
    Moderator
    AvatarModdIt

    Left this part, removed rest as not solution. See last post from anilkagi for that
    Important to consider:
    Do not put too much trust in tor, last version was definitely open to attack, CPU going to 100%
    browser taking no commands, kill leaving it running headless in background, afterwords it autostarted
    at irregular intervals in headless mode. Latest seems to have fixed the issue.
    This was experienced by more than one user and replicated.
    Apart from that Tor nodes can be run by interested organizations, you can not even be sure the download
    and keys are not modified by Man in middle.

    • This reply was modified 7 months, 2 weeks ago by ModdIt.
    #40868
    Member
    Avataranilkagi

    Hello Moddit,

    Thanks for the suggestion and the cautionary note. I will keep that in mind.

    • This reply was modified 7 months, 2 weeks ago by anilkagi.
    #40870
    Member
    Avataranilkagi

    This unnecessary post was deleted as it was mere intermediary before arriving at the solution. The solution is in the last post.

    • This reply was modified 7 months, 2 weeks ago by anilkagi.
    #40890
    Moderator
    AvatarModdIt

    Lot of reading, not a solution. REMOVED to make thread concise

    • This reply was modified 7 months, 2 weeks ago by ModdIt.
    #40894
    Member
    Avataranilkagi

    This unnecessary post was deleted as it was mere intermediary before arriving at the solution. The solution is in the last post.

    • This reply was modified 7 months, 2 weeks ago by anilkagi.
    #40909
    Moderator
    AvatarModdIt

    i woke up with headache fever today, worrying. Long post,
    Hope it is understandable.

    worked, Removed my post to make thread more readable.

    Solution as howto in post from anilkagi. its enough.

    • This reply was modified 7 months, 2 weeks ago by ModdIt.
    • This reply was modified 7 months, 2 weeks ago by ModdIt.
    #40913
    Member
    Avataranilkagi

    Oh god Moddit, I am so sorry, I made you do this, in spite of your fever and headache. I feel so guilty. I wish you will get well soon.

    Hats of to you, for keeping the promise against odds.

    I am glad to tell you that your super efforts paid. The issue is resolved. I am marking this problem solved.

    The thing I was doing wrong, and the step that changed things was, as you suggested;

    Below the nice, purple button should be a link that says sig. Don’t left click but instead right click it. Then select Save Link As in the context menu.

    I was left clicking on the ‘Signature’ button and when it opened in a new tab with the signature details, I would copy and paste it in a text file and name it as ‘tor-browser-linux64-9.5.4_en-US.tar.xz.asc’, but this approach used to fail.

    For others who are facing this issue should take care of that.

    Let me make the step by step guide as per your guidance and wish, Moddit.

    Step 1: Go to https://www.torproject.org/download/

    Step 2: Click on the ‘Download for Linux’ and save the downloaded Tor Browser package file to your HD.

    Step 3: Below the nice, purple button should be a link that says ‘Signature’. Don’t left click but instead right click on it. Then select ‘Save Link As’ in the context menu. You will need to download the corresponding Signature file (‘.asc’) as well as the installer file itself.

    Step 4: Verify that you have GnuPG, installed on your system. If not install it.

    Step 5: Next, copy-paste the below command in a terminal and you will get the result similar to the one given below.

    gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

    Result:

    gpg: /home/your-username/.gnupg/trustdb.gpg: trustdb created
    gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    pub   rsa4096 2014-12-15 [C] [expires: 2025-07-21]
          EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
    uid           [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
    sub   rsa4096 2018-05-26  [expires: 2020-12-19]

    If you get an error message, something has gone wrong and you cannot continue until you’ve figured out why this didn’t work.

    Step 6: Save the imported key with following command.

    gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

    After running this command, a file named ‘tor.keyring’ must be created in your /home/your-username folder. If it is not, then something has gone wrong and you cannot continue until you’ve figured out why this didn’t work.

    Step 7: Verify the signature by copy-pasting the below command. The examples below assume that you downloaded these two files to your “Downloads” folder. Note that these commands use example file names and yours will be different: you will have downloaded a different version than 9.0 and you may not have chosen the English (en-US) version. (change 64 to 32 if you have the 32-bit package)

    gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-linux64-9.5.4_en-US.tar.xz.asc ~/Downloads/tor-browser-linux64-9.5.4_en-US.tar.xz

    You should get the result similar as below;

    gpgv: Signature made Sun 23 Aug 2020 10:10:32 PM IST
    gpgv:                using RSA key EB774491D9FF06E2
    gpgv: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"

    If you get error messages containing ‘No such file or directory’, either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.

    If this fails there is workaround documented on the Tor project page. Try that.

    Thank you Moddit. Get well soon.

    #40915
    Moderator
    Brian MasinickBrian Masinick

    @moddit: Thank you very much, once again, for your helpful efforts.
    I hope that you are able to get plenty of rest and recover from your fever and headache.
    Take good cafe of yourself and we will welcome you back when you feel well.

    Brian Masinick

    #40919
    Moderator
    AvatarModdIt

    No need for anyone to feel guilty, first time round getting this done was a headeache too,
    now we have a howto on the forum. Much better. Might be a good idea to post on MX/Antix parallel world.
    For sure others trip up on getting the signature correctly.

    Thanks for the wishes.

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.