Tor Browser Downloader (by Whonix developers) cancels the download. I have tried it in the last 5 days several times. It cancels the download at different levels of completions between 50% to 70% (~45 minutes) with the error message below. I have not recieved any error message during installation. I can use Tor browser from my host OS(Win10) and can download big files without any problem.
I can download it manually but I want to understand the reason because I experienced a trojan infection before in my other computers. This one is new with a new connection.
The rest are alpha or hardened alpha versions. I tried them but I am not sure if I tried all of them. I will check it. But interesting thing is that it starts downloading and downlads 70% approximately and cancels it (with a speed under 1Kb/s). Why it starts downloading I don’t understand. I can browse the internet with Iceweasel in a normal speed.
You weren’t infected by the trojan because you downloaded manually - you were infected because you presumably didn’t verify the gpg signature. There is no material difference between using Tor Browser Downloader and doing it yourself manually (other than convenience).
The infections were in my previous computers. I was using Windows, flashdisks, etc. I was aware of nothing.
After this bad experience I read about the topic and bought a new laptop and a connection. I verified the Whonix images by gpg4win with different signature files downloaded from different Tor circuits. I downloded gpg4win using the certificate from https://ssl.intevation.de
May be I became paranoid but I had enough reasons. Before Whonix I wanted to install Qubes and decided to buy it from www.osdics.com by air-mail and I asked a question to Marek Marczykowski Gorecki about the trust level of that company. He said to me that the web page did not sell qubes and maybe someone wanted to send me a fake DVD. I checked it from a different computer and connection that yes! they were not selling Qubes! This is something like Postman-In-The-Middle-Attack.
If this download promlem is not a virus-infection indication, there is no problem for me. I can download Tor browser manually and verify it.
I tried each of them and couldn’t download.[quote=“entr0py, post:4, topic:2396”]
There is no material difference between using Tor Browser Downloader and doing it yourself manually
I receive curl_status_message: . The code  means “certificate rejected” if I am correct. What I am trying to understand is that is this because of the process difference which “Tor Browser Downloader” uses or is it an indication of an infection…
Might indicate a very slow connection (for whatever reason, slow Tor entry guard or otherwise). To get around that you can try to increase the timeout. Currently only possible by manually editing with root rights.
kdesudo kwrite /usr/bin/update-torbrowser
Search for curl_download_max_time= and increase the timeout (in seconds).
Unlikely. I think we need a wiki entry for this, but no, for any serious malware it would be a disgrace of the malware author if you could spot it through this.
I increased the value from 180sec to different values. At the end I used 14400sec and got an error message about partial file download (below). Does the Tor Browser Downloader use a different protocol for downloadig? I can download files using Iceweasel which uses the same Tor.
/usr/bin/update-torbrowser has several instances of curl_download_max_time.
The instances that use a default of 180 secs are for downloading small stuff: connectivity checks, version numbers, signatures.
The instance of curl_download_max_time that you need to change is the one that defaults to 3600. This is the one related to the download of the package itself. (Or increase all of the timeouts. You can get a better idea of what is failing by running update-torbrowser in a terminal.)
The whole point of verifying using GPG signatures is that you don’t need to trust your counterparty (for file integrity that is). Feel free to download from piratebay, over http, or anywhere else that works for you. The important thing is that you need to verify the fingerprint of the key using an independent channel. For example, you could send encrypted email to random people on the mailing list asking for the Qubes Master Signing Key fingerprint. Unless they are all part of a giant conspiracy, you should wind up with the correct fingerprint. Using multiple Tor circuits may help with a MITM attack but it won’t help if the key hoster is compromised to begin with.