Tor Browser weird update experience

In Qubes Whonix, my Tor browser was in a very outdated version. After a little investigation I realised, that I should update my Tor Browser independently from my Whonix templates. So I did that and recently upgraded it from the Tor Browser Downloader GUI, but then the following thing happened.

The attempt to ugrade ended up with this error message:

ERROR: Digital signature (GPG) could NOT be verified.
Tor Browser update failed! Try again later.
gpg_bash_lib_internal_gpg_verify_status_fd_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg: keybox ‘/var/cache/tb-binary/.cache/tb/gpgtmpdir/pubring.kbx’ created
gpg: key 4E2C6E8793298290: 1 duplicate signature removed
gpg: key 4E2C6E8793298290: 236 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 1 signature reordered
gpg: /var/cache/tb-binary/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg: Signature made (REDACTED, a bit more than a week ago)
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: BAD signature from "Tor Browser Developers (signing key) " [ultimate]

More strangely after I had this warning, the Tor Browser Downloader now clearly says that my currently installed version is 13.5. Even if at the end it didn’t supposed to be installed and my previous attempt ended up with the error message above.

Should I worry? Should I maybe reinstall my all Whonix templates? What could be the problem?

No. This was not an indicator of compromise. A digital software signaturee could not be verified, the signature got rejected, the process safely stopped. That’s the end of it.

See also:
Valid Compromise Indicators versus Invalid Compromise Indicators

Because of Tor Browser Internal Updater, which is different from Tor Browser Downloader by Whonix.

There is no indication that is would be needed.

Download issue. → Try again.

1 Like

Thank you for the help!

One more question - when now I update to version 13.5.1., Tor Browser Downloader says that the Tor Project signature has just changed. Where can I check if this is correct? I tried to search, but failed. Is the following correct? Here is the message from the Installation Confirmation window:

The downloaded signature is newer than the last known signature as expected.

Previous Signature Creation Date:
June 20 18:06:55 UTC 2024
Last Signature Creation Date :
July 10 12:29:25 UTC 2024

According to your system clock, the signature was created 2 days (…) ago.

gpg reports:
gpg: Signature made Wed 10 Jul 2024 12:29:25 PM UTC
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from “Tor Browser Developers (signing key) " [ultimate]
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF

Installation Confirmation Notification