Using Tor browser downloader in workstation 18 template. After downloading, the confirmation window contents has changed and no longer matches what is in the wiki.
Now it says “sqop reports” instead of “gpg reports”
I guessing this is an improvement but the gpg reports was more readable. sqop looks like a log output with no breaks in the fingerprint and no good signature info or trust info.
If this is the new window perhaps an update can be made to the wiki ?
Port to Sequoia-PGP (“sq”) (GnuPG (“gpg”) replacement) - OpenPGP has been completed. Reasons:
So this is very much expected.
Currently only something such as the following is shown:
'sqop' reports:
2026-04-07T08:19:50Z CAAE408AEBE2288E96FC5D5E157432CF78A65729 EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 mode:binary {"signers":["/usr/share/torbrowser-updater-keys.d/tbb-team.asc"]}
Just now I’ve implemented also showing the output by sq.
'sq' reports:
Authenticated signature made by EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 (Tor Browser Developers (signing key) )
1_authenticated signature.
That’s not super informative either and lacks signature creation date (but it will show up above). Here is a full example.
update-torbrowser (user) [NOTICE]: Installation confirmation
Currently installed version: 15.0.5
Downloaded version : 15.0.9
The downloaded signature is newer than the last known signature as expected.
Previous Signature Creation Date: November 11 07:43:11 UTC 2025
Last Signature Creation Date : April 07 08:19:50 UTC 2026
According to your system clock, the signature was created 1 days 58 minutes 57 seconds ago.
'sqop' reports:
2026-04-07T08:19:50Z CAAE408AEBE2288E96FC5D5E157432CF78A65729 EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 mode:binary {"signers":["/usr/share/torbrowser-updater-keys.d/tbb-team.asc"]}
'sq' reports:
Authenticated signature made by EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 (Tor Browser Developers (signing key) )
1_authenticated signature.
Learn more about this Installation Confirmation Notification.
https://www.whonix.org/wiki/Tor_Browser#Installation_Confirmation_Notification
I am not sure output by sq packet dump would be helpful.
sq packet dump /home/user/.cache/tb/files/tor-browser-linux-x86_64-15.0.9.tar.xz.asc
Signature Packet, old CTB, 563 bytes
Version: 4
Type: Binary
Pk algo: RSA
Hash algo: SHA512
Hashed area:
Issuer Fingerprint: CAAE408AEBE2288E96FC5D5E157432CF78A65729
Signature creation time: 2026-04-07 08:19:50 UTC
Unhashed area:
Issuer: 157432CF78A65729
Digest prefix: 054B
Level: 0 (signature over data)
And it would also require research if output by sq packet dump is trusted and a good idea to show to users. If signature verification succeeded, then the output by sq packet dump may be considered trustworthy within the threat model. But if signature verification failed, then sq packet dump might contain malicious output, because it’s a debug tool that shows OpenPGP “packets”, not a verification tool.
The output is a usability regression but the port to Sequoia-PGP is very much worthwhile anyhow for security reasons as per GnuPG Usability Security Issues.
Using gpg for automated use cases (use within programs or scripts) is insanely difficult and error prone. sq / sqop simplified this as lot.
Ideally, this Tor Browser Downloader (by Whonix developers) (tb-updater) notification can one day be fully avoided. (APT / DNF do not require that either and process a lot more updates.) This is dependent on upstream, The Tor Project, Tor Browser feature request / bug report:
Related:
Thanks for the explanation
This does improve it. I’ll adapt to the fingerprint being in one chunk, l just heavily associate 4 character chunks with gpg and so something looked very wrong when the new window popped up 
It doesn’t seem to add anything additionally useful to me (even before the potential tradeoffs)
I appreciate the recent changes you are making to harden whonix (even if sometimes it is confusing, requires changing how I use whonix and mostly under the hood or beyond my comprehension). I prefer knowing that when I want to be really secure and private online, I can use whonix
The new sq verify output version is now available in all repositories.
Edit
I tried the downloader again an hour ago and the sq verify part did not appear, only the sqop one. I though maybe I needed to update whonix ws 18 template first so I did that but that automatically updated Tor version so I couldn’t verify the new output. Just FYI
BTW, I have been increasingly getting signature verification errors that relate to the not before flag. If I run the update a couple more times it eventually fixes itself. I can move this part if you want… I notice this thread has been moved from qubes sub forum to general support
Version 3:51.9-1 has this feature.
dpkg -l | grep tb-updater
ii tb-updater 3:44.4-1 all Tor Browser Downloader by Whonix developers
The involved code paths are the same for all platforms.
1 issues = 1 forum thread please.