Tor Browser 13.0.6 - Downgrade attack warning

Hi there,

Im on Qubes 4.1, which is still on whonix 16. When running TB downloader, i’m getting this as a result:

Installation confirmation

Currently installed version:
Downloaded version :

You are likely target of a downgrade attack, SAY NO NOW! The downloaded signature is older than the last known signature. Unless you are downgrading, you should abort now and try again later!

Previous Signature Creation Date:
November 23 11:17:24 UTC 2023
Last Signature Creation Date :
August 08 18:35:39 UTC 2022

The signature looks quite old already.


  • your clock might be fast (at least 454 days 13 hours 18 minutes 14 seconds fast). In that case, please check your clock is correct.
  • there is really no newer signature yet. The signature is really older than 30 days already. (Older than 454 days 13 hours 18 minutes 14 seconds already.)
  • this is a update-torbrowser bug
  • this is an attack
    gpg reports:
    gpg: Signature made Mon 08 Aug 2022 06:35:39 PM UTC
    gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
    gpg: Good signature from "Tor Browser Developers (signing key) " [ultimate]
    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
    Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF

This message looks different, but also like it could be related to this post made about 10h ago:


Please advise how to procede.

Tor Browser Updater by Whonix developers correctly detected this.
The signature creation date is outdated indeed.

Bug reported upstream at The Tor Project just now:

  1. Do nothing.
  2. Check what upstream replies.
  3. Wait for a new release where this is fixed or if upstream re-signs the release with a proper gpg signature creation date.

Not a Whonix issue. This is reproducible without Whonix being involved. Unspecific to Whonix.

Quote New Release: Tor Browser 13.0.6 (Desktop) - News - Tor Project Forum

Thanks for reporting! Applications team is aware of the issue and working on this, Set time on signing machine before starting signing (#41037) · Issues · The Tor Project / Applications / tor-browser-build · GitLab

Quote tor-browser-linux-x86_64-13.0.6.tar.xz signed with outdated gpg signature creation timestamp - easily confused as downgrade attack (#40898) · Issues · The Tor Project / Core / Tor · GitLab

New signatures have been emitted for TB 13.0.6 today.

[fixed clarified typo]

@adrelanos This has been resolved. The issue is that we re-booted our signing machine. This machine does not have unfettered access to the internet, and so cannot access time servers. @boklm manually updated the system’s time and I’ve re-gpg-signed our build artifacts this morning. In the future we’ll add this system-time updating step to our signing scripts.