How does switching to a ‘direct’ signature verification fix this issue, if the issue was with the public key Tor used for this Tor release?
Also, I just had something very weird happen to me this morning. I opened a Qube based on a Whonix-ws-16 template, opened Tor Browser, and the browser auto updated to 11.0.3. A small window popped up informing me of this update, which I tried to click out of because I knew of this verification issue, but it continued anyway and 11.0.3 was installed. This made me feel very uncomfortable, so I contacted a colleague I know who also runs Qubes, and he opened a Whonix based Qube as well, and the same exact thing happened after a few times of opening and closing Tor. Has anyone else here had this experience?
Even odder, the Tor Browser Downloader in my Whonix-ws-16 Template informed us both that we were now updated to 11.0.3. This shouldn’t be the case due to Qubes’ compartmentalization - only Tor in the App Qube had been updated. Neither of us had performed this update yesterday because we were unable to (because of the problem discussed above in the forum posts).
We then updated the whonix templates using Qubes Updater, which updated tb-updater, and ran Tor Browser Downloader in Whonix-ws-16 template again. We continued forward for a fresh install of 11.0.3. It was able to verify now because of the change to direct signature verification posted by Patrick above. What concerned me again, was that it showed ‘previous signature’ as December 9th, and ‘last signature’ as December 20th, even though both versions were supposedly 11.0.3 (Again - I was just trying to download a fresh browser profile and ensure I had a proper version). This doesn’t make sense, as 11.0.3 was released on December 20th, a signature couldn’t have been created before that date. When I run Tor Browser Downloader one more time, it now shows me as both signatures on December 20th - this makes me think that the auto updated December 9th sig 11.0.3 wasn’t legitimate.
Does anyone else have the above experience or possible explanations?
I appreciate your comments.
Robert