tb-updater - GPG download signature could NOT be verified. - This key expired.

Support
1

ok, i did the commands you suggested me, but still getting the error while updating

INFO: Auto detecting ARCH...
INFO: ARCH x86_64 detected.
INFO: Auto detecting ARCH_DOWNLOAD...
INFO: ARCH_DOWNLOAD linux64 detected.
[INFO] [torbrowser-downloader] INFO: CURL_PROXY: --proxy socks5h://tb-updater_fa220be3-7b52-4f3c-9575-3c802d81587b:password@10.152.152.10:9115
[INFO] [torbrowser-downloader] INFO: tbb_version_previous_downloaded_version: 9.0.9
[INFO] [torbrowser-downloader] INFO: stdin connected to terminal, setting TB_INPUT to stdin, will use terminal for input, ok.
[INFO] [torbrowser-downloader] INFO: Alternatively, if want to run from command line, but still use the graphical user interface for input, you could add to command line: --input gui
INFO: not running inside Qubes DVM Template, ok.
INFO: tbb_download_alpha_version: false
INFO: Running Tor enabled check... Done.
INFO: Running Tor bootstrap check... Done.
INFO: Running connectivity check... 
INFO: CURL_OUT_FILE: /home/user/.cache/tb/temp/tbb_remote_folder
INFO: Connectivity check succeeded.
INFO: Find out latest version... Downloading: https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions... 
INFO: CURL_OUT_FILE: /home/user/.cache/tb/RecommendedTBBVersions
INFO: Done, downloaded https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions.
INFO: tbb_download_alpha_version: false
INFO: Lowest online version might be: 9.5
INFO: Currently installed version: None installed. (Folder /home/user/.tb/tor-browser does not exist.)
Only versions still considered secure should be listed here. Higher version numbers does not necessarily mean more secure here. Could be alpha or beta versions. In most cases you are best off choosing the lowest version number among them.
Learn more about this Download Confirmation Screen.
https://www.whonix.org/wiki/Tor_Browser/Download_Confirmation_Screen
QUESTION: Download now?
n/9.5/9.5.1/9.5.3/10.0a1/10.0a2/10.0a4/10.0a5?
9.5.3                            
INFO: Version 9.5.3 chosen.
INFO: Tor Browser language variable TB_LANG was not yet set. Therefore defaulting TB_LANG to 'en-US', ok.
INFO: Because you are not using --nokilltb, now killing eventually still running instances of Tor Browser...
firefox: no process found
INFO: Downloading GPG signature... Will take a moment...
INFO: Downloading:
      https://dist.torproject.org/torbrowser/9.5.3/sha256sums-unsigned-build.txt.asc ... Will take a moment...
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/sha256sums-unsigned-build.txt.asc
INFO: Done, downloaded https://dist.torproject.org/torbrowser/9.5.3/sha256sums-unsigned-build.txt.asc.
INFO: Downloading sha256sums file... Will take a moment...
INFO: Downloading:
      https://dist.torproject.org/torbrowser/9.5.3/sha256sums-unsigned-build.txt ... Will take a moment...
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/sha256sums-unsigned-build.txt
INFO: Done, downloaded https://dist.torproject.org/torbrowser/9.5.3/sha256sums-unsigned-build.txt.
INFO: Downloading Tor Browser Bundle: 9.5.3
INFO: Downloading:
      https://dist.torproject.org/torbrowser/9.5.3/tor-browser-linux64-9.5.3_en-US.tar.xz ... Will take a while...
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/tor-browser-linux64-9.5.3_en-US.tar.xz
INFO: Done, downloaded https://dist.torproject.org/torbrowser/9.5.3/tor-browser-linux64-9.5.3_en-US.tar.xz.
INFO: GPG signature verification... This will take a moment...
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
GPG download signature could NOT be verified.
Tor Browser update failed! Try again later.

gpg_bash_lib_output_alright_status: false
gpg_bash_lib_output_failure: 

gpg_bash_lib_output_diagnostic_message:

gpg_bash_lib_internal_gpg_verify_status_fd_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keybox '/home/user/.cache/tb/gpgtmpdir/pubring.kbx' created
gpg: key 4E2C6E8793298290: 1 duplicate signature removed
gpg: key 4E2C6E8793298290: 236 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 1 signature reordered
gpg: /home/user/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Fri 24 Jul 2020 04:16:54 PM UTC
gpg:                using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) " [expired]
gpg: Note: This key has expired!
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2
gpg_bash_lib_output_gpg_verify_status_fd_output:
[GNUPG:] NEWSIG
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1503660203
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1503660390
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1535109984
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] KEYEXPIRED 1599945844
[GNUPG:] SIG_ID Tmkg474j7SZzfKGjdcJp7+u1gzQ 2020-07-24 1595607414
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1503660203
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1503660390
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1535109984
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] EXPKEYSIG EB774491D9FF06E2 Tor Browser Developers (signing key) 
[GNUPG:] VALIDSIG 110775B5D101FB36BC6C911BEB774491D9FF06E2 2020-07-24 1595607414 0 4 0 1 10 00 EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1503660203
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1503660390
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEYEXPIRED 1535109984
[GNUPG:] KEYEXPIRED 1598268349
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
2

Confirmed. Fixed just now in all Whonix repositories. Should be fixed.

  1. upgrade as per usual as per:
  1. update-torbrowser should now be functional as per usual.

(Technical background: OpenPGP key tbb-team.asc was outdated. The signing key was expired. Upstream extended the key but it wasn’t updated on in the tb-updater package yet. Now fixed. No danger/harm except this usability issue.)

3

Hi!

I’m getting this issue again on a fresh installation of Kicksecure after converting a fresh Debian 12 install to Kicksecure.

When I run update-torbrowser it fails with the following:

gpg_bash_lib_output_failure: 

gpg_bash_lib_output_diagnostic_message:

gpg_bash_lib_internal_gpg_verify_status_fd_file: /home/ad0/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /home/ad0/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key) " 5 new signatures
gpg: key 4E2C6E8793298290: "Tor Browser Developers (signing key) " 3 new subkeys
gpg: Total number processed: 1
gpg:            new subkeys: 3
gpg:         new signatures: 5
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Wed 13 Sep 2023 08:27:50 PM CEST
gpg:                using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) " [ultimate]
gpg: Note: This key has expired!
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5  4901 E53D 989A 9E2D 47BF
gpg_bash_lib_output_gpg_verify_status_fd_output:
[GNUPG:] NEWSIG
[GNUPG:] KEYEXPIRED 1641301932
[GNUPG:] KEYEXPIRED 1694951612
[GNUPG:] KEYEXPIRED 1535109984
[GNUPG:] KEYEXPIRED 1503660390
[GNUPG:] KEYEXPIRED 1503660203
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] KEYEXPIRED 1694951612
[GNUPG:] SIG_ID EdBY08YpAp66GdG/r9TfmrAaSxo 2023-09-13 1694629670
[GNUPG:] KEYEXPIRED 1641301932
[GNUPG:] KEYEXPIRED 1694951612
[GNUPG:] KEYEXPIRED 1535109984
[GNUPG:] KEYEXPIRED 1503660390
[GNUPG:] KEYEXPIRED 1503660203
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] EXPKEYSIG E53D989A9E2D47BF Tor Browser Developers (signing key) 
[GNUPG:] VALIDSIG 613188FC5BE2176E3ED54901E53D989A9E2D47BF 2023-09-13 1694629670 0 4 0 1 10 00 EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
[GNUPG:] KEYEXPIRED 1641301932
[GNUPG:] KEYEXPIRED 1694951612
[GNUPG:] KEYEXPIRED 1535109984
[GNUPG:] KEYEXPIRED 1503660390
[GNUPG:] KEYEXPIRED 1503660203
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] KEYEXPIRED 1641301932
[GNUPG:] KEYEXPIRED 1694951612
[GNUPG:] KEYEXPIRED 1535109984
[GNUPG:] KEYEXPIRED 1503660390
[GNUPG:] KEYEXPIRED 1503660203
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0

I attempted the solution the user in this thread posted:
forums(dot)whonix(dot)org/t/tor-browser-downloader-error-expired-signing-key/12077

But to no avail.

In the meantime, I will use the manual method to install Tor Browser, but I figured ths is worth mentioning.

Thanks a lot in advance, and take care.

4

I have the same issue, I get the same GPG error when trying to update to 12.5.4 with the default Whonix Tor Browser Downloader.

1 Like
5

Confirmed.

Apparently upstream (torproject.org) signing key is outdated.

Workaround:
Tor Browser Essentials chapter Tor Browser Manual Update in Whonix wiki

Technical details:

gpg --keyid-format=long --with-keygrip --with-subkey-fingerprints --fingerprint --verbose 

torbrowser@torproject.org
gpg: using pgp trust model
gpg: Note: signature key D1483FA6C3C07136 expired Fri 24 Aug 2018 11:26:24 AM UTC
gpg: Note: signature key EB774491D9FF06E2 expired Tue 04 Jan 2022 01:12:12 PM UTC
gpg: Note: signature key E53D989A9E2D47BF expired Sun 17 Sep 2023 11:53:32 AM UTC
gpg: Note: signature key 2E1AC68ED40814E0 expired Fri 25 Aug 2017 11:26:30 AM UTC
gpg: Note: signature key 7017ADCEF65C2036 expired Fri 25 Aug 2017 11:23:23 AM UTC
gpg: Note: signature key 2D000988589839A3 has been revoked
pub   rsa4096/4E2C6E8793298290 2014-12-15 [C] [expires: 2025-07-21]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
      Keygrip = EE035CBF1DC6E873F6D57F8B6F9AFBFFD5640FE2
uid                 [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub   rsa4096/D1483FA6C3C07136 2016-08-24 [S] [expired: 2018-08-24]
      Key fingerprint = A430 0A6B C93C 0877 A445  1486 D148 3FA6 C3C0 7136
      Keygrip = 16FCDB51B7A53BB939E76B240BE515F7D0CC12BD
sub   rsa4096/EB774491D9FF06E2 2018-05-26 [S] [expired: 2022-01-04]
      Key fingerprint = 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2
      Keygrip = 458F50DF0D51E87F3D16DF5D6E4CD452F03F4EF6
sub   rsa4096/E53D989A9E2D47BF 2021-09-17 [S] [expired: 2023-09-17]
      Key fingerprint = 6131 88FC 5BE2 176E 3ED5  4901 E53D 989A 9E2D 47BF
      Keygrip = CF388492A52199F2C2F62038F985C108EA92346D
sub   rsa4096/2E1AC68ED40814E0 2014-12-15 [S] [expired: 2017-08-25]
      Key fingerprint = BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
      Keygrip = 5A5579033A19520429B44920E7387DE7EA32A63F
sub   rsa4096/7017ADCEF65C2036 2014-12-15 [S] [expired: 2017-08-25]
      Key fingerprint = 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
      Keygrip = 591878866E15BE3A6C2697385F4C24F5DD431140
sub   rsa4096/2D000988589839A3 2014-12-15 [S] [revoked: 2015-08-26]
      Key fingerprint = 05FA 4425 3F6C 19A8 B7F5  18D4 2D00 0988 5898 39A3
      Keygrip = 3B02A7742811F1333EFF1780C5CAAC182F39371E

This one:

gpg: Note: signature key E53D989A9E2D47BF expired Sun 17 Sep 2023 11:53:32 AM UTC

gpg --verify tor-browser-linux64-12.5.4_ALL.tar.xz.asc

gpg: assuming signed data in ‘tor-browser-linux64-12.5.4_ALL.tar.xz’
gpg: Signature made Wed 13 Sep 2023 06:27:50 PM UTC
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from “Tor Browser Developers (signing key) torbrowser@torproject.org” [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF

This one:

gpg: Note: This key has expired!

Could you report this upstream against torproject.org please?

6

Upstream is aware of the issue:

A similar project also has this issue:

7