Earlier this week, I had downloaded an update for the Tor Browser from its official site, and now it doesn’t seem to work at all. What it says is that it can’t verify the PGP signature on the installation.
As part of the process, I refreshed the GPG key with a new one from Ubuntu’s keyserver, but still the problem persisted. A post on the Linux Mint forums discussed this issue, and the OP said “I usually just download their Tor Linux archive file which can update itself and use that rather than installing from the Software Manager or Synaptic Package Manager (SPM). My Tor browser is working fine.” The full post is here: SOLVED Tor-browser launcher problem – verifying signature fails.
Still, it seemed important to mention this to the developers; therefore, it was time to do as the message said and contact computer security engineer Micah F. Lee about the problem.
On GitHub, it was reassuring to know that several other users had had the same problem. In fact, Mr. Lee had addressed this specific issue on the repository for Tor Browser Launcher; to quote him:
PGP key servers are the worst.
This error was happening because the public key included in torbrowser-launcher expired, and refreshing keys from the keys.openpgp.org keyserver failed because Tor Project didn’t specifically push the new key and verify their email address with that keyserver. And refreshing from SKS keyservers is not an option because the SKS project is permanently broken, and the Tor Browser signing key is spammed with so many fake sigs that you can’t download it. (The same thing has happened to my personal key.)
So this PR does away with keyservers altogether and instead updates the PGP key using WKD, fetching the public key from torproject.org, which is what Tor’s sig verification documentation now calls for anyway.
It also includes a new, non-expired version of the public key. And fixes another bug, using package version comparison instead of string comparison to compare version numbers, so that “10” is not less than “9”.
I’m terribly sorry for ignoring this issue for so long, everyone. If you’re trustworthy and want to take over maintenance of this project please contact me at email@example.com.
It’s interesting that he mentioned the SKS keyserver project being broken, because other articles had raised red flags about this not too long ago! WKD, as Micah points out, is the Web Key Directory (GnuPG’s standard system for key discovery), and the updated PGP keys should be fetched there from now on.
Other developers on the project are also reviewing the code as this is being written. Hopefully this corrects the error, or does in due time!