ARM64 Tor Browser Maintainer

Info for the trust section in the TBB documentation:

Heikki Lindholm


Builds will soon feature a dev signed sha256sum hash file of all builds for verification.

He’s also contributed in the past to gnunet, libmicrohttpd, jackaudio and Debian’s xorg package.

public key from: https://h-lindholm.net/pubkey

pub ed25519/6AF15D1E45FDCEC9 2021-06-06 [C] [expires: 2024-06-05]
Key fingerprint = 24F1 41A3 B988 B6C3 50B9 3758 6AF1 5D1E 45FD
uid Heikki Lindholm holin@iki.fi
sub ed25519/5890EDB800F7C53D 2021-06-06 [S] [expires: 2022-06-06]
sub cv25519/645123E7AD3B24EF 2021-06-06 [E] [expires: 2024-06-05


Trusting Downloaded Images

This is already the case. Download and verification of Tor Browser works very similar in tb-updater for Intel / AMD64 builds (from The Tor Project (TPO)) as well as arm64 builds (Heikki Lindholm). Difference is the download location (TPO website vs Heikki Lindholm sourceforge) and the OpenPGP (gpg) singing key.

E-mail sent just now.

new gpg key fingerprint?

Hello Heikki,

tor-browser-linux-arm64-11.0.14_en-US.tar.xz.asc is signed with

gpg --verify tor-browser-linux-arm64-11.0.14_en-US.tar.xz.asc
gpg: assuming signed data in ‘tor-browser-linux-arm64-11.0.14_en-US.tar.xz’
gpg: Signature made Fri 10 Jun 2022 10:41:23 AM UTC
gpg: using EDDSA key 17646366EFF82DB13E5CCDB23A557859C963442B
gpg: Can’t check signature: No public key

But I couldn’t find the EDDSA key with fingerprint 17646366EFF82DB13E5CCDB23A557859C963442B or any key transition statement. Please advice.

Kind regards,

Hello Patrick,

My signing keys will be valid for one year at a time. For .14 it was time for a new key, so, get the corresponding pubkey update at:


or the README.

To avoid any confusion, I haven’t uploaded my (new EDDSA) keys to any key server because there’s an older RSA key with the same e-mail which I thought to revoke but so far never got around to.

– hl