Tor browser downloader GPG download signature could not be verified!

I installed whonix-cli and manually installed kde-standard and tb-starter, but when the tor downloader prompts me to download tor browser 10.17, the following message appears right after downloading:

ERROR: GPG download signature could NOT be verified. 
Tor Browser update failed! Try again later. 
gpg_bash_lib_output_alright_status: false 
gpg_bash_lib_output_failure: 
gpg_bash_lib_output_diagnostic_message: 
gpg_bash_lib_internal_gpg_verify_status_fd_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keybox '/home/user/.cache/tb/gpgtmpdir/pubring.kbx' created
gpg: /home/user/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Tue 01 Jun 2021 09:58:45 PM UTC
gpg: using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) " [ultimate]
gpg: Note: This key has expired!
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2
gpg_bash_lib_output_gpg_verify_status_fd_output:
[GNUPG:] NEWSIG
[GNUPG:] KEYEXPIRED 1623465323
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] KEYEXPIRED 1623465323
[GNUPG:] SIG_ID Lu9TqnEQ8U5n8/x+sNU8z9Y26B8 2021-06-01 1622584725
[GNUPG:] KEYEXPIRED 1623465323
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] EXPKEYSIG EB774491D9FF06E2 Tor Browser Developers (signing key) 
[GNUPG:] VALIDSIG 110775B5D101FB36BC6C911BEB774491D9FF06E2 2021-06-01 1622584725 0 4 0 1 10 00 EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
[GNUPG:] KEYEXPIRED 1623465323
[GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23

I wonder if there is a step I ommited. Thanks!

1 Like

I’ve got the exact same problem ^^^

Confirmed.

Fixed after upgrades.

[tbb-dev] Updated Tor Browser Signing Key

Hello everyone,

The Tor Browser OpenPGP signing key expired on 12 June. We extended the expiration of the subkey again, due to the pandemic. We hope this is the last time that will be necessary.

The valid key should be available from keys.openpgp.org now. The key is attached, as well.

FYI a test now shows:

user@host:~$ gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg: keybox ‘/home/user/.gnupg/pubring.kbx’ created
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 0x4E2C6E8793298290: public key “Tor Browser Developers (signing key) torbrowser@torproject.org” imported
gpg: Total number processed: 1
gpg: imported: 1
pub rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2025-07-21]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key) torbrowser@torproject.org
sub rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2022-01-04]

1 Like

Related folders:


gpg --keyid-format long --import --import-options show-only --with-fingerprint /usr/share/torbrowser-updater-keys.d/tbb-team.asc