In Qubes Whonix, my Tor browser was in a very outdated version. After a little investigation I realised, that I should update my Tor Browser independently from my Whonix templates. So I did that and recently upgraded it from the Tor Browser Downloader GUI, but then the following thing happened.
The attempt to ugrade ended up with this error message:
ERROR: Digital signature (GPG) could NOT be verified.
Tor Browser update failed! Try again later.
gpg_bash_lib_output_alright_status:
gpg_bash_lib_output_failure:
gpg_bash_lib_output_diagnostic_message:
gpg_bash_lib_internal_gpg_verify_status_fd_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keybox ‘/var/cache/tb-binary/.cache/tb/gpgtmpdir/pubring.kbx’ created
gpg: key 4E2C6E8793298290: 1 duplicate signature removed
gpg: key 4E2C6E8793298290: 236 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 1 signature reordered
gpg: /var/cache/tb-binary/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made (REDACTED, a bit more than a week ago)
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: BAD signature from "Tor Browser Developers (signing key) " [ultimate]
gpg_bash_lib_output_gpg_verify_status_fd_output:
More strangely after I had this warning, the Tor Browser Downloader now clearly says that my currently installed version is 13.5. Even if at the end it didn’t supposed to be installed and my previous attempt ended up with the error message above.
Should I worry? Should I maybe reinstall my all Whonix templates? What could be the problem?